It is only day 8 of the new year, and there is a brand-new ransomware group in the books. Babuk Locker ransomware group wanted to be the first new kid on the block this year.

Their ransom demands range from $60,000 to $85,000 in Bitcoin.

They can ask for this much because they do this much. Here is how Babuk Locker encrypts devices.

The executables are custom based for each victim. This includes a hardcoded extension (__NIST_K571__), ransom note titled, “How To Restore Your Files.txt”, and a Tor URL where the threat actor can send instant messages to its victim. Although this is a new ransomware, it inhibits victims from recovering for free. Babuk Locker ensures encryption won’t be free by using ChaCha8 and the Elliptic-curve Diffie-Hellman algorithm.

Upon deployment, the threat actors utilize a command-line argument to control the ransomware. Threat actors have total control on how to encrypt network shares and whether this should occur before the local file system.

During deployment, the ransomware terminates Window servers and processes enabling files to be open, which can prevent encryption. They terminate database servers, mail servers, backup software, mail clients, and web browsers.

Interesting enough, and something to be aware of, is the threat actors questioning their victim about cyber insurance and if they are utilizing a recovery company.

Babuk Locker operators, like many other ransomware groups, are publishing their victim’s data on a forum. At the time of publication, there are five victims across the globe whom are threatened by their dating being published on a soon to be leak site.

When organizations partner with a cybersecurity company like SpearTip, logs are monitored 24/7/365. SpearTip’s ShadowSpear® Platform has been proven to prevent the advanced malware, too. Not only does ShadowSpear® prevent malicious encryption, but also would have detected and prevented the activity that allowed Babuk Locker full access to the environment. Our professional, certified cybersecurity engineers protect environments and deploy our proprietary tool, ShadowSpear® when an environment is under attack.