January 26, 2021 By David Bisson 2 min read

A new ransomware, Babuk Locker, has struck five different companies globally, earning the dubious title of first new enterprise ransomware strain of 2021. The threat actors behind Babuk Locker target entire corporate networks instead of individual users. From there, they ask for ransom payments ranging from $60,000 to $85,000.

Let’s take a look at Babuk Locker’s techniques and how it compares to other ransomware strains that came before it.

Babuk’s Notable Features

At the forefront of investigating the new attack are Bleeping Computer and student security researcher Chuong Dong, who analyzed the threat and found it to be a “pretty standard ransomware” in terms of its techniques and functionality.

Dong found that Babuk Locker arrived with a hard-coded list of services to close before it began its encryption routine. Foremost was the Volume Shadow Copy Service (VSS), a native Windows service that creates backup copies of computer files or volumes when they are in use. By locking this down, Babuk Locker’s handlers made sure their victims couldn’t recover their data on their own.

Toward that same end, the ransomware singled out a number of other services related to maintaining data backups. It also closed down some security firms’ products and Microsoft Office apps.

This functionality, combined with blocking the Windows Restart Manager from closing any service using files, was particularly effective. It helped ensure that Babuk Locker would face no obstacles in opening and encrypting an affected user’s files.

In the next stage of the attack, the new ransomware engaged its encryption routine. For smaller files (less than 41 MB in size), Babuk Locker mapped the file entirely and used ChaCha8 encryption to encrypt it twice.

For larger files, the ransomware divided them into three equally large regions and selected the first 10 MB for encryption. Then, it encrypted that data using two ChaCha8 encryption keys generated from the Elliptic-curve Diffie–Hellman shared secret protocol’s SHA256 hash.

In this case, the authors of the new malware were using one private key for each sample of their creation. This suggested that the new ransomware was mainly targeting businesses instead of users, Dong noted.

A Look Back at Similar New Ransomware Threats

Much of what Babuk Locker can do isn’t new in the ransomware threat landscape. Other ransomware strains have attempted to prevent users from recovering their data using the shadow volume copies from VSS. The operators of DeathRansom, Conti and LockBit, among others, have done the same.

It’s also not the first ransomware to use the Windows Restart Manager to kill any service using files. For instance, Intel 471 spotted the REvil gang updating its samples with that technique in May 2020. Carbon Black Threat Analysis Unit made the same discovery with Conti in July 2020.

Lastly, Babuk Locker is just the latest ransomware to specifically target businesses. Bleeping Computer witnessed threat actors use other malware strains such as PwndLocker, VHD and SNAKE to specifically target enterprises throughout 2020.

How to Defend Against Threats Like Babuk Locker

Organizations can defend against threats, such as Babuk Locker, by encrypting their data and securing their encryption keys. This will make it more difficult for ransomware to identify the files as eligible for encryption. In addition, organizations should consider using multifactor authentication along with user behavior analytics to monitor for signs of account takeover, a type of attack which often comes before a ransomware infection.

More from News

Zero-day exploits underscore rising risks for internet-facing interfaces

3 min read - Recent reports confirm the active exploitation of a critical zero-day vulnerability targeting Palo Alto Networks’ Next-Generation Firewalls (NGFW) management interfaces. While Palo Alto’s swift advisories and mitigation guidance offer a starting point for remediation, the broader implications of such vulnerabilities demand attention from organizations globally. The surge in attacks on internet-facing management interfaces highlights an evolving threat landscape and necessitates rethinking how organizations secure critical assets. Who is exploiting the NGFW zero-day? As of now, little is known about the…

Will arresting the National Public Data threat actor make a difference?

3 min read - The arrest of USDoD, the mastermind behind the colossal National Public Data breach, was a victory for law enforcement. It also raises some fundamental questions. Do arrests and takedowns truly deter cyberattacks? Or do they merely mark the end of one criminal’s chapter while others rise to take their place? As authorities continue to crack down on cyber criminals, the arrest of high-profile threat actors like USDoD reveals a deeper, more complex reality about the state of global cyber crime.…

CISA adds Microsoft SharePoint vulnerability to the KEV Catalog

3 min read - In late October, the United States Cybersecurity & Infrastructure Security Agency (CISA) added a new threat to its Known Exploited Vulnerability (KEV) Catalog. Cyber criminals used remote code execution vulnerability in Microsoft SharePoint to gain access to organizations’ networks. The CISA press release states that “these types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” However, Microsoft identified and released a patch for this vulnerability in July 2024. Cybersecurity experts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today