In January 2021, a new ransomware called “Babuk” came to light after impacting at least five big enterprises. The ransomware has targeted many well-known organizations across several industry sectors such as Manufacturing, Transportation, Construction and Materials, and Law Firms, among others. Our research indicates that the Babuk ransomware group was highly active in May 2021 and performed at least 42 attacks, as shown in the figure below.
Figure 1 – Countries affected by the ransomware
The top 5 countries affected by the Babuk ransomware are the U.S, Canada, Spain, France, and Germany. The image below showcases the distribution of the top 10 industries targeted by Babuk.
Figure 2 – Industry-wise split of victims
During our routine Open-source Intelligence (OSINT) research, Cyble researchers came across a leaked builder binary of the Babuk ransomware builder, which was initially brought to light in a post on Twitter
Upon extraction of the .zip file, we were presented with the following binaries.
Figure 3- Binaries extracted from the zip file
We launched the “builder.exe [FolderName]” command to generate the Babuk encryptor/decryptor binaries in the [FolderName].
Figure 4 -Binaries generated by builder.exe
Below are the details of each file:
|Sr.No||Pre-Build Binaries||Post-Build Binaries||Description|
|1||d_esxi.out||d_esxi.out||Decryptor for ESXI|
|2||d_nas_arm.out||d_nas_arm.out||Decryptor for NAS ARM|
|3||d_nas_x86.out||d_nas_x86.out||Decryptor for NAS x86|
|4||d_win.bin||d_win.exe||Decryptor for Windows|
|5||e_esxi.out||e_esxi.out||Encryptor for ESXI|
|6||e_nas_arm.out||e_nas_arm.out||Encryptor for NAS Arm|
|7||e_nas_x86.out||e_nas_x86.out||Encryptor for NAS x86|
|8||e_win.bin||e_win.exe||Encryptor for Windows|
- Babuk Builder Analysis
Execution Flow of Babuk Builder
Figure 5 – Execution Flow of Babuk Builder
We started with the static analysis of Babuk Builder and found that the application is a console-based x86 architecture application compiled on
“2021-03-16 10:03:10” developed using C/C++.
Figure 6 – Static information of builder.exe
During the code analysis, we found that the code/function showcased in the image below is a critical part of Babuk Builder. In the figure below, we can see that the “CryptGenRandom” API is used to generate the “random seed” (KS), and the function “sub_4044F0” is called to generate the “Key” (KP).
Figure 7 – Seed and Key value generator functions
The codes shown in the figure below concatenates the folder name with the “Post-Build” binary name, and then the “Pre-build” binary name is passed to “sub_404790” and “sub_404650” functions. The “sub_404790” is used to create ransomware binaries, whereas the “sub_404650” function is used to create Decryptor binaries.
Figure 8 – Functions for creating encryptor/ransomware and decryptor of different architecture.
The code shown in the figure below is a part of the “sub_404650” function that has the task of hardcoding the “Ransom Note” and “Key” (KP).
Figure 9 – Hardcoding Ransom note content and Key (KP)
We can see the “Ransom Note” and “Key” (KP) in both the Figures below during the runtime (process execution) analysis. The first figure shows the “Key” (KP), while the second figure shows the “Ransom Note”.
Figure 11 – Hard coding Ransom Note
Once the ransomware/encryptor file has been generated, the builder proceeds to call the “sub_404650” function to generate the “decryptor” binaries. As seen in the image below, during the runtime (process execution) analysis, the below code hardcodes “Key” (KS) in the “decryptor” binary and writes the final decryptor binary onto the disk.
Figure 12 – Hardcoding Seed (KS) during runtime analysis
Finally, the code shown in below figure is used to take input “Random” Seed File from the user and generate the “Key” (KP) from it. This is followed by the generation of the “Encryptor” & “Decryptor” binaries by calling the “sub_404790” and “sub_404650” functions.
Figure 13 – Take seed value file as an input
- Babuk Encryptor Analysis
Execution Flow of the Babuk Encryptor (Ransomware)
Figure 14 – Execution Flow of Babuk Encryptor (Ransomware)
We started with the analysis of Babuk Encryptor (Ransomware) and found that the application is a GUI based x86 architecture application compiled on
“2021-03-23 19:22:40” and developed using C/C++.
Figure 15 – Basic static analysis details
Upon execution of the encryptor/ransomware binary, the process tree showcased below was created.
Figure 16 – Process tree after executing encryptor/ransomware
Furthermore, we noticed that the binary is launching the vssadmin.exe process to delete all Shadow Copy using the command “vssadmin.exe delete shadows /all /quiet”, as shown in the figure below.
Figure 17 – Using vssadmin.exe to delete all shadow copies.
The figure shown below shows the infection activity of the ransomware.
Figure 18 – infection activity of the encryptor/ransomware.
Based on code analysis, we found four primary functions in the Babuk encryptor, as depicted in the image below.
Figure 19 – Stopping VSS Service, closing list of process, Deleting Shadow copies and Cleaning recycle bin
The four functions called by the encryptor are sub_404770(), sub_4049B0(), sub_4046D0(), and SHEmptyRecycleBinA, and their objectives are showcased in the table below.
|sub_404770()||Stopping the VSS Service|
|sub_4049B0()||Closing the list of processes that prevent file encryption.|
|sub_4046D0()||Deleting all shadow copies|
|SHEmptyRecycleBinA||Emptying the Recycle Bin|
The Encryptor binary fetches the details of the number of processors available on the victim system.
Figure 20 – To retrieve the number of processors used in the victim system
The encryptor then performs a loop to create the threads as per the available processors, and the “StartAddress” holds the function address which will perform the encryption task.
Figure 21 – Creating threads for encrypting the files and creating ransom notes
Once the function available at StartAddress is called, the function(StartAddress) calls the sub_412ED0 function to perform the creation of the “Ransom Note” and “File Encryption Action”.
Figure 22 – Function to create ransom note and encrypt file logic
Next, the function sub_412ED0 starts enumerating system folders and creates ransom notes in each folder.
Figure 23 – Creating ransom notes
As shown in the figure below, during run time (process execution) analysis, we can see that the “How to Restore Your Files.txt” has been created with content “text”.
Figure 24 – Created ransom notes with content text
The “sub_409740” function that is responsible for encrypting the targeted files is executed, and it has the following functionalities:
|Sr. No||sub_409740 Intent|
|1||Append .babyk extension on all files.|
|2||Retrieve the “Key”(KP)|
|3||Read the content of .babyk file|
|4||Encrypt the Content of the .babyk file|
|5||Write Encrypted content|
|6||Append the encrypted content with signature|
The below code shows that the Encryptor is appending the extension .babyk to found file.
Figure 25 – Appending the file extension with .babyk
Upon successful renaming of the file, the Encryptor fetches the Key(KP) from its binary hardcoded .data section.
Figure 26 – Fetch Key(KP) from .data section
During the runtime (process execution) analysis, we can see that the encryptor fetches the Key(KP).
Figure 27 – Fetches the Key(KP) during runtime analysis.
Once the “Key”(KP) has been fetched, the Encryptor reads the .babyk extension file, which at this stage, is stored as plain text (Content).
Figure 28 – Read non-encrypted content from .babyk extension file
Then, the Encyptor calls the function “sub_4101E0” to encrypt the content.
Figure 29 – Function called to encrypt the non-encrypted content
Then it writes the encrypted content in the file.
Figure 30 – Write encrypted contents to the .babyk file.
Later, it appends the signature “choung dong looks like hot dog!!” at end of the encrypted content of the same file.
Figure 31 – Writes “choung dong looks like hot dog!!” signature at the end of the encrypted file.
Encryptor also creates “mutex” with name “DoYouWantToHaveSexWithChuongDong” in the system.
Figure 32 – Create mutex with name “DoYouWantToHaveSexWithChuongDong”
- Babuk Decryptor Analysis
Execution Flow of Babuk Decryptor
Figure 33 – Execution Flow of Babuk Decryptor
Upon code analysis, we saw the code in the image below presenting a message box to the user with the content “Press ‘OK’ to start decryption process!” before it starts decrypting the document files.
Once the User Clicks ‘OK’, the Decryptor will create a “Mutex” “DoYouWantToHaveSexWithChuongDong”, to check that only one Decryptor Process is running at a time, as seen in the figure below.
Figure 34 – Show “Start decryption process” message box to victim and create mutex
Later, it deletes all items from the Recycle Bin by calling the “SHEmptyRecycleBinA”, as shown in the figure below.
Figure 35 – Clean recycle bin
As shown in the code below, the Decryptor fetches the number of processors available on the victim machine.
Figure 36 – fetches the number of processors available on the victim system.
Depending on the processors, the Decryptor creates threads to start the Decryption process. Here the StartAddress function holds the address of Decryptor Function.
Figure 37 – Create threads for decryption of files
In the StartAddress Function, another function is called “sub_406990”, whose task is to do the decryption process.
Figure 38 – Actual decryption function called
The function sub_406990 looks for the encrypted files with the. babyk extension, and then renames them by removing .babyk extension and takes the File “handle” for further operations, as shown in the below figure.
Figure 39- remove the .babyk extension from encrypted file and open handle of encrypted file.
This is followed by the Decryptor binary fetching the tail content from the encrypted file and matching it with the signature “choung dong looks like hot dog!!” and proceeds to remove it from the encrypted file.
The figure below showcases the Decryptor fetching the “Key”(KS) during the runtime (process execution) analysis.
Figure 41 – Seed(KS) value shown during the runtime analysis
Once the Decryptor has the ‘Key’ (KS), it will read the Encrypted File, decrypt the content, and write the output back to the disk.
Figure 42 – read the encrypted content, decrypt it and write back in the file.
Later, the function sub_407050 is called, as show in the figure below. Its purpose is to delete the ransom Note “How to Restore Your Files.txt”.
Figure 43 – function called to Find & Deletes “How to Restore Your Files.txt” ransom note
The code shown below searches for files. If the “How to Restore Your Files.txt” is found, the it deletes using the “DeleteFileW” the file, as shown below.
Figure 44 – function deleting ransom note once found
Once the Decryption process is done, the user is presented with a message that says: “Your file decrypted, bye!”.
Figure 45 – After decryption done, the final message box is shown to victim with message “Your file decrypted, bye!”
The release of the Babuk ransomware builder may increase the chances of future ransomware attacks. To serve malicious cybercriminal purposes, attackers may leverage these ransomware builder tools to target victims through various means such as social engineering campaigns and phishing attacks.
- Use the shared IoCs to monitor and block the malware infection.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Conduct regular backup practices and keep those backups offline or in a separate network.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Discovery||T1082||System Information Discovery|
|Impact||T1490 T1489 T1486||Inhibit System Recovery Service Stop Data Encrypted for Impact|
Indicators of Compromise (IoCs):
Generic signatures and Rules:
meta: author= "Cyble Research" date= "2021-07-02" description= "Coverage for Babuk Ransomware files" strings: $sig1 = "kp.curve25519" wide ascii $sig2 = "ks.curve25519" wide ascii $sig3 = "e_nas_x86.out" wide ascii $sig4 = "DoYouWantToHaveSexWithCuongDong" wide ascii $sig6 = "How To Restore Your Files.txt" wide ascii $sig7 = ".babyk" wide ascii $sig8 = "choung dong looks like hot dog!!" wide ascii condition: 2 of ($sig*)
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.