SYMBOLCOMMON_NAMEaka. SYNONYMS
win.babuk (Back to overview)

Babuk

aka: Babyk, Vasa Locker

Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.

References
2021-07-05Lab52Th3spis
@online{th3spis:20210705:quick:b0fddf2, author = {Th3spis}, title = {{Quick review of Babuk ransomware builder}}, date = {2021-07-05}, organization = {Lab52}, url = {https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/}, language = {English}, urldate = {2021-07-12} } Quick review of Babuk ransomware builder
Babuk
2021-07-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210704:babuk:3ba79a8, author = {Marco Ramilli}, title = {{Babuk Ransomware: The Builder}}, date = {2021-07-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/}, language = {English}, urldate = {2021-07-06} } Babuk Ransomware: The Builder
Babuk
2021-07-01BleepingComputerIonut Ilascu
@online{ilascu:20210701:babuk:81a1235, author = {Ionut Ilascu}, title = {{Babuk ransomware is back, uses new version on corporate networks}}, date = {2021-07-01}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/}, language = {English}, urldate = {2021-07-02} } Babuk ransomware is back, uses new version on corporate networks
Babuk
2021-06-30BleepingComputerLawrence Abrams
@online{abrams:20210630:leaked:ea62d8a, author = {Lawrence Abrams}, title = {{Leaked Babuk Locker ransomware builder used in new attacks}}, date = {2021-06-30}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/}, language = {English}, urldate = {2021-07-02} } Leaked Babuk Locker ransomware builder used in new attacks
Babuk
2021-06-27Twitter (@GossiTheDog)Kevin Beaumont
@online{beaumont:20210627:babuk:a031da5, author = {Kevin Beaumont}, title = {{Tweet on babuk ransomware builder}}, date = {2021-06-27}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1409117153182224386}, language = {English}, urldate = {2021-07-01} } Tweet on babuk ransomware builder
Babuk
2021-06-27The RecordCatalin Cimpanu
@online{cimpanu:20210627:builder:40a8c38, author = {Catalin Cimpanu}, title = {{Builder for Babuk Locker ransomware leaked online}}, date = {2021-06-27}, organization = {The Record}, url = {https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/}, language = {English}, urldate = {2021-06-29} } Builder for Babuk Locker ransomware leaked online
Babuk
2021-06-10McAfeeATR Operational Intelligence Team
@online{team:20210610:are:14ab8d0, author = {ATR Operational Intelligence Team}, title = {{Are Virtual Machines the New Gold for Cyber Criminals?}}, date = {2021-06-10}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/}, language = {English}, urldate = {2021-06-21} } Are Virtual Machines the New Gold for Cyber Criminals?
Babuk DarkSide
2021-06-06Bleeping ComputerLawrence Abrams
@online{abrams:20210606:new:8c47cad, author = {Lawrence Abrams}, title = {{New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions}}, date = {2021-06-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/}, language = {English}, urldate = {2021-06-16} } New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions
Babuk FriedEx WastedLocker
2021-06-03Medium s2wlabHyunmin Suh, Denise Dasom Kim, Jungyeon Lim, YH Jeong
@online{suh:20210603:w1:f034ac8, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim and YH Jeong}, title = {{W1 Jun | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-06-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b}, language = {English}, urldate = {2021-06-16} } W1 Jun | EN | Story of the week: Ransomware on the Darkweb
DarkSide Babuk DarkSide
2021-05-31DataBreaches.netDissent
@online{dissent:20210531:babuk:4915c4b, author = {Dissent}, title = {{Babuk re-organizes as Payload Bin, offers its first leak}}, date = {2021-05-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/}, language = {English}, urldate = {2021-06-04} } Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty
2021-05-25Medium s2wlabHyunmin Suh, Denise Dasom Kim, Jungyeon Lim
@online{suh:20210525:w4:b927684, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim}, title = {{W4 May | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-05-25}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f}, language = {English}, urldate = {2021-06-16} } W4 May | EN | Story of the week: Ransomware on the Darkweb
Babuk REvil
2021-05-12KasperskyDmitry Galov, Leonid Bezvershenko, Ivan Kwiatkowski
@online{galov:20210512:ransomware:439cee0, author = {Dmitry Galov and Leonid Bezvershenko and Ivan Kwiatkowski}, title = {{Ransomware world in 2021: who, how and why}}, date = {2021-05-12}, organization = {Kaspersky}, url = {https://securelist.com/ransomware-world-in-2021/102169/}, language = {English}, urldate = {2021-05-13} } Ransomware world in 2021: who, how and why
Babuk REvil
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Bleeping ComputerLawrence Abrams
@online{abrams:20210507:data:c674b2b, author = {Lawrence Abrams}, title = {{Data leak marketplaces aim to take over the extortion economy}}, date = {2021-05-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/}, language = {English}, urldate = {2021-05-08} } Data leak marketplaces aim to take over the extortion economy
Babuk Maze
2021-04-29Sekurak.plSekurak
@online{sekurak:20210429:udao:8043e83, author = {Sekurak}, title = {{Udało nam się zrealizować wywiad z grupą ransomware (Babuk), która zaszyfrowała policję metropolitarną w Waszyngtonie}}, date = {2021-04-29}, organization = {Sekurak.pl}, url = {https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/}, language = {Polish}, urldate = {2021-05-03} } Udało nam się zrealizować wywiad z grupą ransomware (Babuk), która zaszyfrowała policję metropolitarną w Waszyngtonie
Babuk
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-02-24McAfeeAlexandre Mundo, Thibault Seret, Thomas Roccia, John Fokker
@techreport{mundo:20210224:technical:4d09445, author = {Alexandre Mundo and Thibault Seret and Thomas Roccia and John Fokker}, title = {{Technical Analysis of Babuk Ransomware}}, date = {2021-02-24}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf}, language = {English}, urldate = {2021-02-25} } Technical Analysis of Babuk Ransomware
Babuk
2021-02-08Medium Sebdravensebdraven
@online{sebdraven:20210208:babuk:138756c, author = {sebdraven}, title = {{Babuk is distributed packed}}, date = {2021-02-08}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62}, language = {English}, urldate = {2021-02-09} } Babuk is distributed packed
Babuk
2021-02-05Trend MicroRaphael Centeno, Monte de Jesus, Don Ovid Ladores, Junestherry Salvador, Nikko Tamana, Llalum Victoria
@online{centeno:20210205:new:33e89f1, author = {Raphael Centeno and Monte de Jesus and Don Ovid Ladores and Junestherry Salvador and Nikko Tamana and Llalum Victoria}, title = {{New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker}}, date = {2021-02-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html}, language = {English}, urldate = {2021-02-09} } New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker
Babuk TeslaCrypt
2021-02-02Bleeping ComputerLawrence Abrams
@online{abrams:20210202:babyk:0f0a60d, author = {Lawrence Abrams}, title = {{Babyk Ransomware won't hit charities, unless they support LGBT, BLM}}, date = {2021-02-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/}, language = {English}, urldate = {2021-02-04} } Babyk Ransomware won't hit charities, unless they support LGBT, BLM
Babuk
2021-01-26Medium s2wlabHyunmin Suh
@online{suh:20210126:w4:138a143, author = {Hyunmin Suh}, title = {{W4 Jan | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-01-26}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1}, language = {English}, urldate = {2021-01-27} } W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit
2021-01-16Chuongdong blogChuong Dong
@online{dong:20210116:babuk:31553f3, author = {Chuong Dong}, title = {{Babuk Ransomware v3}}, date = {2021-01-16}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/}, language = {English}, urldate = {2021-05-13} } Babuk Ransomware v3
Babuk
2021-01-05Twitter (@Sebdraven)Sébastien Larinier
@online{larinier:20210105:link:91ecfb1, author = {Sébastien Larinier}, title = {{Tweet on link between Babuk and Vasa locker}}, date = {2021-01-05}, organization = {Twitter (@Sebdraven)}, url = {https://twitter.com/Sebdraven/status/1346377590525845504}, language = {English}, urldate = {2021-01-10} } Tweet on link between Babuk and Vasa locker
Babuk
2021-01-03Chuongdong blogChuong Dong
@online{dong:20210103:babuk:b5b2e9e, author = {Chuong Dong}, title = {{Babuk Ransomware}}, date = {2021-01-03}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/}, language = {English}, urldate = {2021-01-21} } Babuk Ransomware
Babuk
2021SogetiSogeti
@techreport{sogeti:2021:babuk:607b96e, author = {Sogeti}, title = {{Babuk ransomware}}, date = {2021}, institution = {Sogeti}, url = {https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf}, language = {English}, urldate = {2021-05-17} } Babuk ransomware
Babuk
Yara Rules
[TLP:WHITE] win_babuk_auto (20210616 | Detects win.babuk.)
rule win_babuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.babuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 85c0 742d 68???????? ff15???????? }
            // n = 5, score = 800
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   742d                 | je                  0x2f
            //   68????????           |                     
            //   ff15????????         |                     

        $sequence_1 = { 6a00 ff15???????? e8???????? 85c0 742d 68???????? }
            // n = 6, score = 800
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   742d                 | je                  0x2f
            //   68????????           |                     

        $sequence_2 = { ff15???????? 85c0 0f85ea000000 ff15???????? 3dea000000 0f85d9000000 }
            // n = 6, score = 800
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85ea000000         | jne                 0xf0
            //   ff15????????         |                     
            //   3dea000000           | cmp                 eax, 0xea
            //   0f85d9000000         | jne                 0xdf

        $sequence_3 = { 68???????? 68???????? 68???????? 6a00 ff15???????? e8???????? }
            // n = 6, score = 800
            //   68????????           |                     
            //   68????????           |                     
            //   68????????           |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   e8????????           |                     

        $sequence_4 = { 51 ff15???????? 85c0 0f85ea000000 }
            // n = 4, score = 800
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85ea000000         | jne                 0xf0

        $sequence_5 = { ff15???????? 85c0 0f85ea000000 ff15???????? }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85ea000000         | jne                 0xf0
            //   ff15????????         |                     

        $sequence_6 = { c1e005 8b4d08 8b54010c 83e202 }
            // n = 4, score = 800
            //   c1e005               | shl                 eax, 5
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b54010c             | mov                 edx, dword ptr [ecx + eax + 0xc]
            //   83e202               | and                 edx, 2

        $sequence_7 = { 51 ff15???????? 85c0 0f85ea000000 ff15???????? 3dea000000 }
            // n = 6, score = 800
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85ea000000         | jne                 0xf0
            //   ff15????????         |                     
            //   3dea000000           | cmp                 eax, 0xea

        $sequence_8 = { e8???????? e8???????? e8???????? 6a07 6a00 6a00 ff15???????? }
            // n = 7, score = 800
            //   e8????????           |                     
            //   e8????????           |                     
            //   e8????????           |                     
            //   6a07                 | push                7
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     

        $sequence_9 = { c745f800000000 e8???????? 85c0 742d 68???????? ff15???????? }
            // n = 6, score = 800
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   e8????????           |                     
            //   85c0                 | test                eax, eax
            //   742d                 | je                  0x2f
            //   68????????           |                     
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 183296
}
Download all Yara Rules