“Babuk” group: just another ransomware gang?

“Babuk” group: just another ransomware gang?


30 million dollars. That is the highest amount asked for by ransomware gangs in 2020, according to cybersecurity company Palo Alto Networks. Ransomware gangs have used the covid-19 crisis to increase pressure on companies and public organizations’ informational systems. In the spotlight is the Fancy Gang “Babuk”. Also known as “Babuk locker” “Baby” or “Vasa locker”, in its early days, the cybercriminal group used a Ransomware-as-a-Service (RaaS) model in order to reach its victims. In other words, the group outsources its ransomware services to “partners” who will use them against companies they have decided to target.  According to CybelAngel Threat Investigation Team Babuk is likely a Russian-speaking cybercriminal group and – so far – is not known to be tied to any other ransomware gang, excluding its partners. They also seem to have a very bad reputation on cybercriminal forums, although their partnering process is attractive on the dark web. Indeed, Babuk offers a lower interest rate to its customers compared to other RaaS groups. Babuk describes its members as “cyberpunks”, whose role, according to group website hosted on Tor, is to enforce company IT security by proceeding with random audits: Source: Babuk ‘About’ Page  At the time this article was written, at least 5 companies have been infected by Babuk and one of them has paid up to $85,000 to get rid of the ransomware. In regards to its targets, the group has clear guidelines on the type of victims to aim at: Source: ibid.

Modus operandi 

A great number of observers, among which the security expert McAfee, agree that the ransomware is rather simple from a technical standpoint. The 32-bit.exe file nevertheless is still pretty efficient.  According to different cybersecurity analysis, the attack is decoupled in four phases: 

  1. Preparation: Accounts are compromised through existing vulnerability exploits or phishing, A redundant preparation plan for this step has not yet been identified.
  2. Reconnaissance: Once in, Babuk investigates in order to exfiltrate a set of sensitive data and inspects lateral movement possibilities.
  3. Encryption: Once exfiltrated the batch of data is encrypted.
  4. Negotiation: The victim is contacted to pay a ransom in exchange for data recovery. Without an agreement, documents could leak on Babuk’s website.

Regarding the attack technicalities, one of Babuk’s purposes is to prevent any possibility of data recovery from happening. The ransomware’s aim is to terminate ongoing applications and back-ups while extracting sensitive documents back to a potential Command & Control server.  Windows shadow copies and the recycle bin are also deleted. After having made sure that the encryption process excluded certain parts of, so the victim can communicate with its executioner, Babuk encrypts data using ChaCha8 stream cipher for encryption and Elliptic-curve Diffie-Hellman (ECDH) for key generation.

So, what’s new?

Babuk is a good example of the current ransomware trend. They declare their goal is only to secure victims’ informational systems, thus presenting themselves as a sort of heroes -meanwhile their only actions are profit maximization.  By threatening to leak organizations’ data, Babuk acts as any ransomware since Maze in 2019: they block their victims’ systems and ask for money in return for data recovery, their affiliate RaaS offering them an additional source of revenue.  No matter the way they present themselves, Babuk remains a group of criminals in the eye of the law. As recommended by the French national cybersecurity agency ANSSI, paying the ransom is highly risky and does not ensure the organization’s data recovery, nor Babuk coming back. To prevent this from happening following a clear digital health policy remains the best way, as well as following international CERT recommendations in regards to cybersecurity.  At a time when ransomware gangs are gathering into organized cartels, it is clear that organizations without efficient cybersecurity tools and partners will face growing difficulties. 

CybelAngel Digital Risk Protection Platform specializes in finding leaks and digital threats before they can harm your company.  Our free Exposure Dashboard will show you unknown leaks and threats that can lead to ransomware attacks, account takeover, and more.