Sogeti CERT ESEC Threat Intelligence (CETI) experts analysed the operators’ activities and talked about the features of the Babuk ransomware, including how quickly a new group can adapt to single, double and even triple extortion.
Just as quickly, Babuk operators moved to a ransomware-software-as-a-service business model by hiring partners in clandestine Russian-language forums.
Unlike other ransomware, Babuk members post advertisements in English on popular hacking forums.
“Babuk’s malware also lacks the so-called ‘Kill Switch’ security measure, which is typically triggered when it detects the default installed Commonwealth of Independent States (CIS) languages on targeted devices”, — the CETI experts said.
The hackers set up their own data breach site to publish stolen information from victims as part of a double extortion strategy. The criminals have also published a list of companies and organizations that they will not attack, with some exceptions in the form of charities helping BLM and LGBT people.
The new ransomware comes without any source code obfuscation mechanisms. However, the grouping uses a strong encryption scheme that is almost impossible to break. The hackers use Chacha8’s homemade SHA256 algorithm for encryption and protect the keys with ECDH. Babuk can accept additional command line parameters during installation. If no parameters are specified, only local drives will be encrypted.
Babuk operators have already attacked healthcare organizations, banks, retailers and transportation companies.
“The attacks affected companies and organizations in Israel, the United States, India, Luxembourg, Italy, Spain, South Africa, the United Arab Emirates, the United Kingdom, China and Germany”, — McAfee researchers said.
According to experts, criminals use spoken English to communicate on underground forums. Presumably, they are not native English speakers, as specialists have identified several spelling errors and non-native expressions.
The ransom amounts range from $60,000 to $85,000, and at least one victim agreed to pay the highest amount. Each sample of Babuk ransomware is specifically customized for the victim with a ransom note and a URL link pointing to a chat to negotiate a payment.
In an effort to establish the identity and trace the digital fingerprint of the attacker under the pseudonym Biba99, during the investigation experts identified a public user account from Kazakhstan on Instagram.
The person in various photographs appears in both police and military uniforms, which indicates a clear lack of awareness of the operational security measures (OPSEC) that are entrusted to law enforcement agencies on social media. Experts suggest that this user may be the operator of Babuk.
Researchers estimate that if the new group continues their targeted attacks at such a rapid pace, Babuk could become a serious threat, just like Egregor, which many Maze affiliates have taken over.
Let me remind you that I talked about the fact that The IObit forum was hacked and used for sending DeroHE ransomware to the participants.
