Researchers Identify Enterprise Attack Using New Ransomware

January 26, 2021 @ 7:00 AM
| |
2 min read

A new ransomware, Babuk Locker, has struck five different companies globally, earning the dubious title of first new enterprise ransomware strain of 2021. The threat actors behind Babuk Locker target entire corporate networks instead of individual users. From there, they ask for ransom payments ranging from $60,000 to $85,000.

Let’s take a look at Babuk Locker’s techniques and how it compares to other ransomware strains that came before it.

Babuk’s Notable Features

At the forefront of investigating the new attack are Bleeping Computer and student security researcher Chuong Dong, who analyzed the threat and found it to be a “pretty standard ransomware” in terms of its techniques and functionality.

Dong found that Babuk Locker arrived with a hard-coded list of services to close before it began its encryption routine. Foremost was the Volume Shadow Copy Service (VSS), a native Windows service that creates backup copies of computer files or volumes when they are in use. By locking this down, Babuk Locker’s handlers made sure their victims couldn’t recover their data on their own.

Toward that same end, the ransomware singled out a number of other services related to maintaining data backups. It also closed down some security firms’ products and Microsoft Office apps.

This functionality, combined with blocking the Windows Restart Manager from closing any service using files, was particularly effective. It helped ensure that Babuk Locker would face no obstacles in opening and encrypting an affected user’s files.

In the next stage of the attack, the new ransomware engaged its encryption routine. For smaller files (less than 41 MB in size), Babuk Locker mapped the file entirely and used ChaCha8 encryption to encrypt it twice.

For larger files, the ransomware divided them into three equally large regions and selected the first 10 MB for encryption. Then, it encrypted that data using two ChaCha8 encryption keys generated from the Elliptic-curve Diffie–Hellman shared secret protocol’s SHA256 hash.

In this case, the authors of the new malware were using one private key for each sample of their creation. This suggested that the new ransomware was mainly targeting businesses instead of users, Dong noted.

A Look Back at Similar New Ransomware Threats

Much of what Babuk Locker can do isn’t new in the ransomware threat landscape. Other ransomware strains have attempted to prevent users from recovering their data using the shadow volume copies from VSS. The operators of DeathRansom, Conti and LockBit, among others, have done the same.

It’s also not the first ransomware to use the Windows Restart Manager to kill any service using files. For instance, Intel 471 spotted the REvil gang updating its samples with that technique in May 2020. Carbon Black Threat Analysis Unit made the same discovery with Conti in July 2020.

Lastly, Babuk Locker is just the latest ransomware to specifically target businesses. Bleeping Computer witnessed threat actors use other malware strains such as PwndLocker, VHD and SNAKE to specifically target enterprises throughout 2020.

How to Defend Against Threats Like Babuk Locker

Organizations can defend against threats, such as Babuk Locker, by encrypting their data and securing their encryption keys. This will make it more difficult for ransomware to identify the files as eligible for encryption. In addition, organizations should consider using multifactor authentication along with user behavior analytics to monitor for signs of account takeover, a type of attack which often comes before a ransomware infection.

David Bisson
Contributing Editor

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...
read more