A new ransomware, Babuk Locker, has struck five different companies globally, earning the dubious title of first new enterprise ransomware strain of 2021. The threat actors behind Babuk Locker target entire corporate networks instead of individual users. From there, they ask for ransom payments ranging from $60,000 to $85,000.

Let’s take a look at Babuk Locker’s techniques and how it compares to other ransomware strains that came before it.

Babuk’s Notable Features

At the forefront of investigating the new attack are Bleeping Computer and student security researcher Chuong Dong, who analyzed the threat and found it to be a “pretty standard ransomware” in terms of its techniques and functionality.

Dong found that Babuk Locker arrived with a hard-coded list of services to close before it began its encryption routine. Foremost was the Volume Shadow Copy Service (VSS), a native Windows service that creates backup copies of computer files or volumes when they are in use. By locking this down, Babuk Locker’s handlers made sure their victims couldn’t recover their data on their own.

Toward that same end, the ransomware singled out a number of other services related to maintaining data backups. It also closed down some security firms’ products and Microsoft Office apps.

This functionality, combined with blocking the Windows Restart Manager from closing any service using files, was particularly effective. It helped ensure that Babuk Locker would face no obstacles in opening and encrypting an affected user’s files.

In the next stage of the attack, the new ransomware engaged its encryption routine. For smaller files (less than 41 MB in size), Babuk Locker mapped the file entirely and used ChaCha8 encryption to encrypt it twice.

For larger files, the ransomware divided them into three equally large regions and selected the first 10 MB for encryption. Then, it encrypted that data using two ChaCha8 encryption keys generated from the Elliptic-curve Diffie–Hellman shared secret protocol’s SHA256 hash.

In this case, the authors of the new malware were using one private key for each sample of their creation. This suggested that the new ransomware was mainly targeting businesses instead of users, Dong noted.

A Look Back at Similar New Ransomware Threats

Much of what Babuk Locker can do isn’t new in the ransomware threat landscape. Other ransomware strains have attempted to prevent users from recovering their data using the shadow volume copies from VSS. The operators of DeathRansom, Conti and LockBit, among others, have done the same.

It’s also not the first ransomware to use the Windows Restart Manager to kill any service using files. For instance, Intel 471 spotted the REvil gang updating its samples with that technique in May 2020. Carbon Black Threat Analysis Unit made the same discovery with Conti in July 2020.

Lastly, Babuk Locker is just the latest ransomware to specifically target businesses. Bleeping Computer witnessed threat actors use other malware strains such as PwndLocker, VHD and SNAKE to specifically target enterprises throughout 2020.

How to Defend Against Threats Like Babuk Locker

Organizations can defend against threats, such as Babuk Locker, by encrypting their data and securing their encryption keys. This will make it more difficult for ransomware to identify the files as eligible for encryption. In addition, organizations should consider using multifactor authentication along with user behavior analytics to monitor for signs of account takeover, a type of attack which often comes before a ransomware infection.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Will data backups save you from ransomware? Think again

4 min read - Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal. A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…