January 26, 2021 By David Bisson 2 min read

A new ransomware, Babuk Locker, has struck five different companies globally, earning the dubious title of first new enterprise ransomware strain of 2021. The threat actors behind Babuk Locker target entire corporate networks instead of individual users. From there, they ask for ransom payments ranging from $60,000 to $85,000.

Let’s take a look at Babuk Locker’s techniques and how it compares to other ransomware strains that came before it.

Babuk’s Notable Features

At the forefront of investigating the new attack are Bleeping Computer and student security researcher Chuong Dong, who analyzed the threat and found it to be a “pretty standard ransomware” in terms of its techniques and functionality.

Dong found that Babuk Locker arrived with a hard-coded list of services to close before it began its encryption routine. Foremost was the Volume Shadow Copy Service (VSS), a native Windows service that creates backup copies of computer files or volumes when they are in use. By locking this down, Babuk Locker’s handlers made sure their victims couldn’t recover their data on their own.

Toward that same end, the ransomware singled out a number of other services related to maintaining data backups. It also closed down some security firms’ products and Microsoft Office apps.

This functionality, combined with blocking the Windows Restart Manager from closing any service using files, was particularly effective. It helped ensure that Babuk Locker would face no obstacles in opening and encrypting an affected user’s files.

In the next stage of the attack, the new ransomware engaged its encryption routine. For smaller files (less than 41 MB in size), Babuk Locker mapped the file entirely and used ChaCha8 encryption to encrypt it twice.

For larger files, the ransomware divided them into three equally large regions and selected the first 10 MB for encryption. Then, it encrypted that data using two ChaCha8 encryption keys generated from the Elliptic-curve Diffie–Hellman shared secret protocol’s SHA256 hash.

In this case, the authors of the new malware were using one private key for each sample of their creation. This suggested that the new ransomware was mainly targeting businesses instead of users, Dong noted.

A Look Back at Similar New Ransomware Threats

Much of what Babuk Locker can do isn’t new in the ransomware threat landscape. Other ransomware strains have attempted to prevent users from recovering their data using the shadow volume copies from VSS. The operators of DeathRansom, Conti and LockBit, among others, have done the same.

It’s also not the first ransomware to use the Windows Restart Manager to kill any service using files. For instance, Intel 471 spotted the REvil gang updating its samples with that technique in May 2020. Carbon Black Threat Analysis Unit made the same discovery with Conti in July 2020.

Lastly, Babuk Locker is just the latest ransomware to specifically target businesses. Bleeping Computer witnessed threat actors use other malware strains such as PwndLocker, VHD and SNAKE to specifically target enterprises throughout 2020.

How to Defend Against Threats Like Babuk Locker

Organizations can defend against threats, such as Babuk Locker, by encrypting their data and securing their encryption keys. This will make it more difficult for ransomware to identify the files as eligible for encryption. In addition, organizations should consider using multifactor authentication along with user behavior analytics to monitor for signs of account takeover, a type of attack which often comes before a ransomware infection.

More from News

White House cements CISA’s role as national coordinator for cybersecurity

2 min read - In 2013, the Obama Administration rolled out "The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience", a forerunner to the Cybersecurity and Infrastructure Security Agency (CISA), created "to strengthen and maintain secure, functioning and resilient critical infrastructure."The directive was groundbreaking in 2013, noting the importance of the rising risk of cyberattacks against critical infrastructure. But as cyber risks are constantly shifting, every cybersecurity program needs to be re-evaluated, and CISA is no exception. That’s why, in April 2024, President…

Debate rages over DMCA Section 1201 exemption for generative AI

3 min read - The Digital Millennium Copyright Act (DMCA) is a federal law that protects copyright holders from online theft. The DMCA covers music, movies, text and anything else under copyright. The DMCA also makes it illegal to hack technologies that copyright owners use to protect their works against infringement. These technologies can include encryption, password protection or other measures. These provisions are commonly referred to as the “Anti-Circumvention” provisions or “Section 1201”. Now, a fierce debate is brewing over whether to allow…

CISA Malware Next-Gen Analysis now available to public sector

2 min read - One of the main goals of the Cybersecurity and Infrastructure Security Agency (CISA) is to promote security collaboration across the public and private sectors. CISA firmly believes that partnerships and effective coordination are essential to maintaining critical infrastructure security and cyber resilience. In faithfulness to this mission, CISA is now offering the Malware Next-Generation Analysis program to businesses and other organizations. This service has been available to government and military workers since November 2023 but is now available to the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today