Breach Response Hotline, Call 833.997.7327

Contact Us

Breach Response Hotline, Click to Call

Contact Us

Day 20: Babuk Ransomware

Common Attack Vectors

  • Phishing Emails
  • Remote Desktop Protocol
  • Hire Hackers with Pentesting Tools Knowledge
  • Public Tools such as CobaltStrike or Covenant

Vulnerabilities Exploited

  • ProxyShell vulnerabilities
  • Microsoft Exchange Servers
  • PetitPotam vulnerabilities

Industries Targeted Frequently

Manufacturing

Threat actors target manufacturing facilities to disrupt product distribution.

Healthcare

Threat actors target healthcare industries to steal patients' names, financial records, social security numbers, and other personal information.

Enterprises

Threat actors target enterprises, stealing sensitive data, encrypting network files and demanding ransoms.

Recent Activity

Babuk ransomware breached servers and networks of the Metropolitan Police Department in Washington, D.C., stealing 250 GB of unencrypted files.

The Babuk ransomware builder was discovered online providing easy access to develop advanced ransomware which allows criminals to start their own ransomware business.

Yamabiko, a Japanese power tools manufacturing company, was breached by the Babuk ransomware stealing personal information on employees, product schematics, and financial data.

Common File Extensions

.Babyk

Known Aliases

  • Babyk
  • Vasa Locker
  • Babuk Locker

How Babuk Ransomware is Distributed

The infection begins with a downloader module on the victim’s server and is modified as an EfsPotato exploit targeting ProxyShell and PetitPotam vulnerabilities. The downloader runs an embedded obfuscated PowerShell command from the actor’s infrastructure to connect and download a packed downloader module. An AMSI bypass is executed by the PowerShell command to circumvent endpoint protection and the malicious domains, fbi[.]fund and xxxs[.]info, are used to host the downloader server. The encrypted .NET resources, as bitmap images, are contained within the initial packed loader module. The actual Bubak ransomware payload is the decrypted content, and the loader connects to a URL on pastebin.pl that contains the intermediate unpacker module to decrypt and unpack the payload. The embedded Babuk ransomware payload is decrypted in memory by the unpacker module and injected into a newly created process AddInProcess32. Running within the process AddInProcess32, the ransomware module summarizes the processes running on the victim’s server attempting to disable numerous processes related to backup products including the Veeam backup service. The ransomware deletes volume shadow service (VSS) snapshots from the server ensuring the encrypted files can’t be restored from their VSS copies using the vssadmin utility. The files are encrypted in the victim’s server and the ransomware appends the ‘.babyk’ file extension to the encrypted files.

ShadowSpear

SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.

24/7 Breach Response: US/CAN: 833.997.7327

Main Office: 800.236.6550

Email Us

1714 Deer Tracks Trail, Suite 150

St. Louis, MO 63131

Navigation

Connect With Us

Twitter Linkedin Facebook

©2024 SpearTip, LLC. All rights reserved.