When you experience a breach, time is crucial. Our 24/7 Security Operations Center responds immediately with precision to eliminate the threat and restore operations.
ShadowSpear® is an unparalleled resource that defends your organizations against advanced cyber threats and attacks 24/7/365.
Your organization has cybersecurity weaknesses and vulnerabilities you don’t yet even know about. They need to be found and found immediately. If you don’t someone else will.
Threat actors target manufacturing facilities to disrupt product distribution.
Threat actors target healthcare industries to steal patients' names, financial records, social security numbers, and other personal information.
Threat actors target enterprises, stealing sensitive data, encrypting network files and demanding ransoms.
Babuk ransomware breached servers and networks of the Metropolitan Police Department in Washington, D.C., stealing 250 GB of unencrypted files.
The Babuk ransomware builder was discovered online providing easy access to develop advanced ransomware which allows criminals to start their own ransomware business.
Yamabiko, a Japanese power tools manufacturing company, was breached by the Babuk ransomware stealing personal information on employees, product schematics, and financial data.
.Babyk
The infection begins with a downloader module on the victim’s server and is modified as an EfsPotato exploit targeting ProxyShell and PetitPotam vulnerabilities. The downloader runs an embedded obfuscated PowerShell command from the actor’s infrastructure to connect and download a packed downloader module. An AMSI bypass is executed by the PowerShell command to circumvent endpoint protection and the malicious domains, fbi[.]fund and xxxs[.]info, are used to host the downloader server. The encrypted .NET resources, as bitmap images, are contained within the initial packed loader module. The actual Bubak ransomware payload is the decrypted content, and the loader connects to a URL on pastebin.pl that contains the intermediate unpacker module to decrypt and unpack the payload. The embedded Babuk ransomware payload is decrypted in memory by the unpacker module and injected into a newly created process AddInProcess32. Running within the process AddInProcess32, the ransomware module summarizes the processes running on the victim’s server attempting to disable numerous processes related to backup products including the Veeam backup service. The ransomware deletes volume shadow service (VSS) snapshots from the server ensuring the encrypted files can’t be restored from their VSS copies using the vssadmin utility. The files are encrypted in the victim’s server and the ransomware appends the ‘.babyk’ file extension to the encrypted files.
SpearTip’s ShadowSpear platform defends your environment with unparalleled resources preventing cybersecurity threats and attacks from affecting your business. ShadowSpear integrates with cloud, network and endpoint devices providing security. ShadowSpear prevents ransomware from exploiting memory, stopping the threat before the full attack cycle. The ShadowSpear Platform is backed by the engineers in our 24/7 Security Operations Centers, ready to assist partners with security issues immediately.
24/7 Breach Response: US/CAN: 833.997.7327
Main Office: 800.236.6550
1714 Deer Tracks Trail, Suite 150
St. Louis, MO 63131
©2024 SpearTip, LLC. All rights reserved.