(Estimated Reading Time: 8 minutes)
Ransomware is a type of malicious software that attackers have engineered to convince or force the recipient of the ransomware to pay out large sums of money to the attacker. Successful ransomware has either scared the user into paying, often called Scareware, or has encrypted all the users files demanding payment to get their files back (unencrypted). Ransomware is not new and has been around for well over a decade with new variants continuing to emerge. A picture is worth a thousand words so the image below just shows a high level view of some well known ransomware families from the past decade. More recently in 2019 the Ryuk ransomware family had some large payouts. In 2020 there was a spike in ransomware largely driven by the global pandemic, a bit of a ransomware gold rush of sorts. The top 5 most active ransomware families in 2020 were Maze, Conti, Egregor, DoppelPaymer, and REvil. 2021 is kicking off with a new kid on the block, Babuk ransomware.
Ransomware-as-a-Service (RaaS) has become a thing in the past 1-2 years as organized crime groups have offered up leasing ransomware to affiliates for further network compromise. The profits are shared between the operators and affiliates. RaaS is changing the game a bit as affiliates without the knowledge to create malicious ransomware can simply buy/rent it just as easily as average consumers buy Cloud services.
How big are these ransomware payouts you might ask? In 2019 the average payout was around $41,000 which jumped to an average payout of $233,817 in Q3 of 2020 [Source]. Most large payouts tend to be from corporate or service type organizations that have been targeted, like schools, hospitals, and utilities. The following table shows data traced through the bitcoin network showing the top 15 ransomware families by bitcoin payment. The graph and research is from Ransomware in the Bitcoin Ecosystem
Now that we know a bit of the history of ransomware let’s take a quick peak at the newest addition, Babuk.
First seen in the wild on VirusTotal on 4-Jan-2021, the Babuk ransomware family is following similar tactics as Ryuk and Sodinokibi. McAfee has already completed a detailed analysis of one Babuk sample and authored a detailed Technical Analysis of Babuk Ransomware which is a good read. The file analyzed by McAfee has a SHA256 hash:
I decided to look a bit more into this sample. Even though it has been analyzed by McAfee and others this sample is nice because the original variant is not packed and can be easily downloaded from Tria.ge or VirusShare.
The ransomware letter from this sample can be seen in plain text by just looking at the Strings as seen below. I used to DetectItEasy in this case.
I ran the sample in a virtual machine and did in fact end up with encrypted personal files. Any files in the virtual machine that was user writable was encrypted (My Documents, My Downloads, etc.). Be careful as any network mapped file shares would also be encrypted! The OS files remained untouched and I was able to use Windows as normal. Any newly created files were fine as the Babuk ransomware doesn’t persist or add any AutoRun registry keys or scheduled tasks that I could identify.
As called out in the McAfee report, I did see vssadmin being called to wipe out any shadow volumes that could be used for recovery.
The table below is not an exhaustive list of samples but shows babuk over time as submitted to Trig.ge. Interestingly the 196k sample did introduce UPX packing, and the sample from 22-Feb that was 75k, changed the ransom note string from babuk to babyk ransomware.
|Hash||First Seen in Tria.ge||Size|
MalwareBazaar also has samples matching the Babuk family.
The upx sample can be easily unpacked with the upx packer using the commend ‘upx -d filename’. After unpacking the file is 1,077Kb and contains over 1200 strings, where the original only had 270 strings. In this unpacked sample idapro finds 846 functions where the original had 76. There seems to be more changes in this sample then just packing. The sample matches the Microsoft Visual C++ 9.0 compiler from Visual Studio 2008, which is also different then the original variant.
I’ve created a high level pseudo execution flow of Babuk just to show at a very high level the simple flow of execution. I’ve omitted much of the Thread safety flow, and the specific encryption routines. At a glance this is what I think Babuk is doing after reviewing the Ghidra disassembly.
if (not mutex) //has Babuk already run on this box call GetCommandLineA //get nolan or lanfirst command line args call SetProcessShutDownParameters(0,0) call OpenSCMangerA //get a list of services foreach service iterate services and terminate hard coded services call Process32FirstW foreach (process) iterate running processes and terminate hard coded processes SHEmptyRecycleBinA //clear recycling bin foreach (share) iterate over shares/files call GetSystemInfo //to get number of processors call CreateThread if (lanfirst command line) call WNetOpenEnumW //enumerate network resources iterate over shares and files encrypt files CreateFileW //create ransomware note call GetLogicalDrives //get local drives (ex C:) if (logicaldrives) iterate over files encrypt files CreateFileW //create ransomware note call ShellExecuteW to run vssadmin.exe delete shadows /all /quiet else exit
The McAfee report indicates a version of Babuk may be available for *nix as well. Has anyone seen a sample from a *nix machine? If so let me know in a comment below.