Despite being a mostly run-of-the-mill ransomware strain, Babuk Locker’s encryption mechanisms and abuse of Windows Restart Manager sets it apart.
Only a few days into the new year, one of the first new ransomware strains of 2021 has been discovered. Dubbed Babuk Locker, the ransomware appears to have successfully compromised five companies thus far, according to new research.
The research author, Chuong Dong, a computer science student at Georgia Tech, said that he first saw the ransomware mentioned in a tweet by a security researcher who goes by “Arkbird” on Twitter. He then discovered information about Babuk on RaidForums, which is a forum for sharing databases of breaches and leaks.
Dong said, according to the website embedded in Babuk’s ransom note, and based on information from the RaidForums leaks, the ransomware has successfully compromised five different companies worldwide. According to a report by BleepingComputer, these victim companies range from a medical testing products manufacturer to an air conditioning and heating company in the U.S. — and at least one of the companies has agreed to pay an $85,000 ransom.
While Babuk has some hallmark characteristics that range from unsophisticated to run-of-the-mill, it also touts more novel tricks, specifically when it comes to encryption and the abuse of legitimate Windows features, said Dong.
“Babuk is a new ransomware that started at the beginning of this year,” said Dong in an analysis this week. “Despite the amateur coding practices used, its strong encryption scheme that utilizes Elliptic-curve Diffie–Hellman algorithm has proven effective in attacking a lot of companies so far.”
The ransomware, which comes in the form of a 32-bit .EXE file, notably lacks obfuscation. It’s also not yet clear how the ransomware is initially spread to victims.
“So far, we don’t know how the ransomware got into the company, but it’s most likely phishing similar to other ransomware groups’ approaches,” Dong told Threatpost.
After infection, Babuk contains a hard-coded list of services and processes to be closed before encryption. These include various system-monitoring services, including BackupExecVSSProvider, YooBackup and BackupExecDiveciMediaService. On the processes side, Babuk looks to snuff out 31 processes – from sql.exe to oracle.exe and outlook.exe.
“Closing applications is beneficial because those applications might be opening files when the ransomware is ran,” Dong explained to Threatpost. “In order to encrypt files, it must be able to open it. If another application already did that, then encryption will fail.”
Babuk also attempts to delete shadow copies before and after encryption. Shadow copies exist in Microsoft Windows and are used to create backup copies or snapshots of various files.
“After deleting the shadow copies, Babuk checks if the system is running under an 64-bit processor,” according to Dong. “If it is, then Wow64RevertWow64FsRedirection is called to enable file system redirection again.”
Of note is Babuk’s encryption mechanism: It uses its own implementation of SHA hashing, ChaCha8 encryption and the Elliptic-curve Diffie–Hellman (ECDH) key generation and exchange algorithm to encrypt files in the attack – making them near-impossible for victims to recover.
“Because of ECDH’s mechanism, the ransomware author can generate the shared secret using his own private key and the victim’s public key to decrypt files,” said Dong. “This makes it impossible for the victim to decrypt on their own unless they can capture the randomly-generated private key in the malware before it finishes encrypting.”
Babuk also uses multithreading. Many computers contain one or more multi-core CPUs, which is used to allow parallel execution of processes and better system utilization. Ransomware, like Babuk, can be developed to leverage this multithreading process in order to “parallelize individual tasks to ensure faster and, subsequently, more harmful impact before victims discover they’re under attack,” Sophos researchers have said.
However, Dong said the ransomware’s “approach to multithreading is pretty mediocre.”
For one, its multithreading process uses recursion for traversing files, he said. This process starts with a thread at the highest directory (for example, C:// drive), which, in the main encrypting function, will go through each item in the parent directory. If it finds a file, it encrypts it. If a new directory is found, the process will call the main encrypting function again with that directory as the parent directory to traverse that folder. This process continues for multiple layers until Babuk has crawled through every folder and file, Dong explained.
“This is the old-school and basic approach for ransomware, and it’s typically used by people who are new to malware development,” Dong told Threatpost. “The idea is fine, but this is a crazy amount of work considering how a normal system has at least 10,000 files.”
The ransomware’s multithreading process also determines the number of threads to spawn by doubling the number of cores on the victim’s machine and then allocating an array to store all of the thread handles.
“A huge amount of threads can potentially be created for each process,” said Dong. “However, in an ideal situation, it’s better to have one thread running per processor to avoid having threads competing with each other for the processor’s time and resource during encryption.”
In contrast, Dong added, a correct approach for multithreading has been utilized by the Conti ransomware, which spawns one thread for each processing core.
“Its encryption is crazy-fast with just under 30 seconds to encrypt the C:// drive,” he said.
Windows Restart Manager
Babuk also leverages Microsoft’s legitimate Windows Restart Manager feature, which enables users to shut down and restart all applications and services (minus critical ones). The ransomware uses this feature to terminate any process that is using files – which Dong said ensures that nothing will prevent the malware from opening and encrypting the files.
Other popular ransomware families have previously abused Windows Restart Manager, including the Conti ransomware (as seen in a July 2020 attack) and the REvil ransomware (seen in a new May 2020 version).
Once all files have been encrypted, Babuk’s ransom note tells victims their computers and servers are encrypted, and demands the victim contact them using a Tor browser.
However, “if the victim tries to pay the ransom they must upload files in a chat so that the ‘hackers’ can make sure they are able decrypt the files,” Lamar Bailey, senior director of security research at Tripwire, said in an email. “I expect there is a pretty high failure rate. Will they make money? Absolutely. But like many fads, this will be a thing of the past in a few months and will not generate a lot of money long-term. Until then, stay away from 32 bit .exe files.”
The new ransomware strain comes as ransomware attacks continue to rise – with the number of ransomware attacks jumping by 350 percent since 2018. Healthcare systems have been hit particularly hard over the past year by ransomware actors, with a recent report saying that healthcare organizations have seen a 45 percent increase in cyberattacks since November.
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2 p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.