Babuk ransomware targets 5 critical business sectors – healthcare & transportation among them
Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises, with one already paying the criminals $85,000 after negotiations. As with other
variants, this ransomware is deployed in the network of enterprises that the criminals carefully target and compromise.
Using MVISION Insights, McAfee was able to plot the telemetry of targets, revealing that the group is currently targeting the transportation, healthcare, plastic, electronics, and agricultural sectors across multiple geographies.
Summary of the Threat:
ï‚·Babuk ransomware is a new ransomware family originally detected at the beginning of 2021.
ï‚·Its operators adopted the same operating methods as other ransomware families and leaked
the stolen data on a public website
Babuk’s codebase and artefacts are highly similar to Vasa Locker’s.
ï‚·Babuk advertises on both English-speaking and Russian-speaking forums, where it seems the
former is used for announcements and the latter is focused on affiliate recruitment and
ransomware updates.
ï‚·The individuals behind Babuk ransomware have explicitly expressed themselves negatively
against the BlackLivesMatter (BLM) and LGBT communities.
ï‚·At least 5 companies have been breached as of January 15, 2021.
ï‚·The ransomware supports command line operation and embeds three different built-in
commands used to spread itself and encrypt network resources.
ï‚·It checks the services and processes running so it can kill a predefined list and avoid detection.
ï‚·There are no local language checks, in contrast to other ransomware gangs that normally spare devices in certain countries.
ï‚·The most recent variant has been spotted packed.
Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common amongst ransomware criminals:
ï‚·E-mail Spearphishing (T1566.001). Often used to directly engage and/or gain an initial foothold, the initial phishing email can also be linked to a different malware strain, which acts as a loader
and entry point for the ransomware gangs to continue completely compromising a victim’s network. We have observed this in the past with Trickbot and Ryuk, Emotet and Prolock, etc.
ï‚·Exploit Public-Facing Application (T1190) is another common entry vector; cyber criminals are avid consumers of security news and are always on the lookout for a good exploit. We therefore encourage organizations to be fast and diligent when it comes to applying patches. There are numerous examples in the past where vulnerabilities concerning remote access software, webservers, network edge equipment and firewalls have been used as an entry point.
ï‚·Using valid accounts (T1078) is and has been a proven method for cybercriminals to gain a foothold. After all, why break the door if you have the keys? Weakly protected Remote Desktop
Protocol (RDP) access is a prime example of this entry method.
​Valid accounts can also be obtained via commodity malware such as infostealers, that are designed to steal credentials from a victim’s computer. Infostealer logs containing thousands of
credentials are purchased by ransomware criminals to search for VPN and corporate logins. As an organization, robust credential management and multi-factor authentication on user
accounts is an absolute must have.
Coverage and Protection Advice
Initially, in our research the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind Babuk remained unclear.
However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as
with other Ransomware-as-a-Service families.
In its recruitment posting Babuk specifically asks for individuals with pentest skills, so defenders should be on the lookout for traces and behaviors that correlate to open-source penetration testing
tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant.
