A new ransomware, Babuk Locker, has struck five different companies globally, earning the dubious title of first new enterprise ransomware strain of 2021. The threat actors behind Babuk Locker target entire corporate networks instead of individual users. From there, they ask for ransom payments ranging from $60,000 to $85,000.

Let’s take a look at Babuk Locker’s techniques and how it compares to other ransomware strains that came before it.

Babuk’s Notable Features

At the forefront of investigating the new attack are Bleeping Computer and student security researcher Chuong Dong, who analyzed the threat and found it to be a “pretty standard ransomware” in terms of its techniques and functionality.

Dong found that Babuk Locker arrived with a hard-coded list of services to close before it began its encryption routine. Foremost was the Volume Shadow Copy Service (VSS), a native Windows service that creates backup copies of computer files or volumes when they are in use. By locking this down, Babuk Locker’s handlers made sure their victims couldn’t recover their data on their own.

Toward that same end, the ransomware singled out a number of other services related to maintaining data backups. It also closed down some security firms’ products and Microsoft Office apps.

This functionality, combined with blocking the Windows Restart Manager from closing any service using files, was particularly effective. It helped ensure that Babuk Locker would face no obstacles in opening and encrypting an affected user’s files.

In the next stage of the attack, the new ransomware engaged its encryption routine. For smaller files (less than 41 MB in size), Babuk Locker mapped the file entirely and used ChaCha8 encryption to encrypt it twice.

For larger files, the ransomware divided them into three equally large regions and selected the first 10 MB for encryption. Then, it encrypted that data using two ChaCha8 encryption keys generated from the Elliptic-curve Diffie–Hellman shared secret protocol’s SHA256 hash.

In this case, the authors of the new malware were using one private key for each sample of their creation. This suggested that the new ransomware was mainly targeting businesses instead of users, Dong noted.

A Look Back at Similar New Ransomware Threats

Much of what Babuk Locker can do isn’t new in the ransomware threat landscape. Other ransomware strains have attempted to prevent users from recovering their data using the shadow volume copies from VSS. The operators of DeathRansom, Conti and LockBit, among others, have done the same.

It’s also not the first ransomware to use the Windows Restart Manager to kill any service using files. For instance, Intel 471 spotted the REvil gang updating its samples with that technique in May 2020. Carbon Black Threat Analysis Unit made the same discovery with Conti in July 2020.

Lastly, Babuk Locker is just the latest ransomware to specifically target businesses. Bleeping Computer witnessed threat actors use other malware strains such as PwndLocker, VHD and SNAKE to specifically target enterprises throughout 2020.

How to Defend Against Threats Like Babuk Locker

Organizations can defend against threats, such as Babuk Locker, by encrypting their data and securing their encryption keys. This will make it more difficult for ransomware to identify the files as eligible for encryption. In addition, organizations should consider using multifactor authentication along with user behavior analytics to monitor for signs of account takeover, a type of attack which often comes before a ransomware infection.

More from News

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…

Alleged FBI Database Breach Exposes Agents and InfraGard

Recently the feds suffered a big hack, not once, but twice. First, the FBI-run InfraGard program suffered a breach. InfraGard aims to strengthen partnerships with the private sector to share information about cyber and physical threats. That organization experienced a major breach in early December, according to a KrebsOnSecurity report. Allegedly, the InfraGard database — containing contact information of over 80,000 members — appeared up for sale on a cyber crime forum. Also, the hackers have reportedly been communicating with…