SYMBOLCOMMON_NAMEaka. SYNONYMS
win.babuk (Back to overview)

Babuk

aka: Babyk, Vasa Locker
VTCollection    

Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.

References
2024-01-09Avast DecodedThreat Research Team
Avast Updates Babuk Ransomware Decryptor in Cooperation with Cisco Talos and Dutch Police
Babuk
2023-12-22PRODAFTPRODAFT
Smoke and Mirrors: Understanding The Workings of Wazawaka
Conti Monti Babuk Hive LockBit RagnarLocker Trigona
2023-12-13cocomelonccocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer
2023-06-17Github (EmissarySpider)EmissarySpider
ransomware-descendants
Babuk Conti LockBit
2023-06-15Github (cocomelonc)cocomelonc
Malware analysis report: Babuk ransomware
Babuk
2023-05-16KrebsOnSecurityBrian Krebs
Russian Hacker “Wazawaka” Indicted for Ransomware
Babuk Hive LockBit LockBit Babuk Hive LockBit
2022-12-07MorphisecMorphisec Labs
New Babuk Ransomware Found in Major Attack
Babuk
2022-08-24Trend MicroHitomi Kimura, Ryan Soliven
Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus
Babuk
2022-08-24Trend MicroHitomi Kimura, Ryan Soliven
Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus (IoCs)
Babuk
2022-06-13Jorge TestaJorge Testa
Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-05-06cybleCyble Research Labs
Rebranded Babuk Ransomware In Action: DarkAngels Ransomware Performs Targeted Attack
Babuk
2022-04-20Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-03-24SentinelOneAntonio Cocomazzi
Ransomware Encryption Internals: A Behavioral Characterization
Babuk Babuk BlackMatter
2022-03-23splunkShannon Davis
Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-23splunkShannon Davis, SURGe
An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-14KrebsOnSecurityBrian Krebs
Wazawaka Goes Waka Waka
Babuk
2021-11-03Cisco TalosCaitlin Huey, Chetan Raghuprasad, Vanja Svajcer
Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
Babuk CHINACHOPPER
2021-10-26Github (vc0RExor)Aaron Jornet
Babuk Ransomware
Babuk
2021-10-18McAfeeThibault Seret
Is There Really Such a Thing as a Low-Paid Ransomware Operator?
Babuk
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-10-01ZeroFoxStephan Simon
Babuk Ransomware Variant Delta Plus Used in Live Attacks After Source Code Leaked
Babuk
2021-09-10S2W LAB Inc.S2W TALON
Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-09Advanced IntelligenceAnastasia Sentsova, Yelisey Boguslavskiy
Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
Babuk Babuk
2021-09-08McAfeeJohn Fokker, Max Kersten, Thibault Seret
How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-08Medium s2wlabS2W TALON
Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-01Medium s2wlabChaewon Moon, Denise Dasom Kim, Jungyeon Lim, S2W LAB INTELLIGENCE TEAM, Sujin Lim, Yeonghyeon Jeong
BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-15SymantecThreat Hunter Team
The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05KrebsOnSecurityBrian Krebs
Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-07-28KELAVictoria Kivilevich
New Russian-Speaking Forum – A New Place for RaaS?
Babuk
2021-07-28McAfeeNoël Keijzer, Thibault Seret
Babuk: Moving to VM and *nix Systems Before Stepping Away
Babuk
2021-07-05Lab52Th3spis
Quick review of Babuk ransomware builder
Babuk
2021-07-04Marco Ramilli's BlogMarco Ramilli
Babuk Ransomware: The Builder
Babuk Babuk
2021-07-01BleepingComputerIonut Ilascu
Babuk ransomware is back, uses new version on corporate networks
Babuk
2021-06-30BleepingComputerLawrence Abrams
Leaked Babuk Locker ransomware builder used in new attacks
Babuk
2021-06-27Twitter (@GossiTheDog)Kevin Beaumont
Tweet on babuk ransomware builder
Babuk
2021-06-27The RecordCatalin Cimpanu
Builder for Babuk Locker ransomware leaked online
Babuk
2021-06-10McAfeeATR Operational Intelligence Team
Are Virtual Machines the New Gold for Cyber Criminals?
Babuk DarkSide
2021-06-06Bleeping ComputerLawrence Abrams
New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions
Babuk FriedEx PayloadBIN WastedLocker
2021-06-03Medium s2wlabDenise Dasom Kim, Hyunmin Suh, Jungyeon Lim, YH Jeong
W1 Jun | EN | Story of the week: Ransomware on the Darkweb
DarkSide Babuk DarkSide
2021-05-31DataBreaches.netDissent
Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty
2021-05-25Medium s2wlabDenise Dasom Kim, Hyunmin Suh, Jungyeon Lim
W4 May | EN | Story of the week: Ransomware on the Darkweb
Babuk REvil
2021-05-12KasperskyDmitry Galov, Ivan Kwiatkowski, Leonid Bezvershenko
Ransomware world in 2021: who, how and why
Babuk REvil
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Bleeping ComputerLawrence Abrams
Data leak marketplaces aim to take over the extortion economy
Babuk Maze
2021-04-29Sekurak.plSekurak
Udało nam się zrealizować wywiad z grupą ransomware (Babuk), która zaszyfrowała policję metropolitarną w Waszyngtonie
Babuk
2021-04-25Vulnerability.ch BlogCorsin Camichel
Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-02-24McAfeeAlexandre Mundo, John Fokker, Thibault Seret, Thomas Roccia
Technical Analysis of Babuk Ransomware
Babuk
2021-02-08Medium Sebdravensebdraven
Babuk is distributed packed
Babuk
2021-02-05Trend MicroDon Ovid Ladores, Junestherry Salvador, Llalum Victoria, Monte de Jesus, Nikko Tamana, Raphael Centeno
New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker
Babuk TeslaCrypt
2021-02-02Bleeping ComputerLawrence Abrams
Babyk Ransomware won't hit charities, unless they support LGBT, BLM
Babuk
2021-01-26Medium s2wlabHyunmin Suh
W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit
2021-01-16Chuongdong blogChuong Dong
Babuk Ransomware v3
Babuk
2021-01-05Twitter (@Sebdraven)Sébastien Larinier
Tweet on link between Babuk and Vasa locker
Babuk
2021-01-03Chuongdong blogChuong Dong
Babuk Ransomware
Babuk
2021-01-01SogetiSogeti
Babuk ransomware
Babuk
Yara Rules
[TLP:WHITE] win_babuk_auto (20230808 | Detects win.babuk.)
rule win_babuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.babuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 6800000100 e8???????? 83c404 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   6800000100           | push                0x10000
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 50 ff15???????? 83f803 7502 }
            // n = 4, score = 800
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83f803               | cmp                 eax, 3
            //   7502                 | jne                 4

        $sequence_2 = { 8b45fc 83c002 8945fc 837dfc0a 0f83dc000000 8b4dfc }
            // n = 6, score = 600
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c002               | add                 eax, 2
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   837dfc0a             | cmp                 dword ptr [ebp - 4], 0xa
            //   0f83dc000000         | jae                 0xe2
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]

        $sequence_3 = { 8b4d08 8b540104 52 8b0401 50 e8???????? }
            // n = 6, score = 600
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b540104             | mov                 edx, dword ptr [ecx + eax + 4]
            //   52                   | push                edx
            //   8b0401               | mov                 eax, dword ptr [ecx + eax]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_4 = { 8b4dfc c1e108 ba01000000 d1e2 8b4508 }
            // n = 5, score = 600
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   c1e108               | shl                 ecx, 8
            //   ba01000000           | mov                 edx, 1
            //   d1e2                 | shl                 edx, 1
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_5 = { 8b95ccfdffff 83c201 8995ccfdffff 83bdccfdffff1f 735f 8d85f4fdffff }
            // n = 6, score = 600
            //   8b95ccfdffff         | mov                 edx, dword ptr [ebp - 0x234]
            //   83c201               | add                 edx, 1
            //   8995ccfdffff         | mov                 dword ptr [ebp - 0x234], edx
            //   83bdccfdffff1f       | cmp                 dword ptr [ebp - 0x234], 0x1f
            //   735f                 | jae                 0x61
            //   8d85f4fdffff         | lea                 eax, [ebp - 0x20c]

        $sequence_6 = { 8b4dfc 8b5508 8b44ca04 50 }
            // n = 4, score = 600
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b44ca04             | mov                 eax, dword ptr [edx + ecx*8 + 4]
            //   50                   | push                eax

        $sequence_7 = { 8b4d08 c7040100000000 c744010400000000 ba08000000 }
            // n = 4, score = 600
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   c7040100000000       | mov                 dword ptr [ecx + eax], 0
            //   c744010400000000     | mov                 dword ptr [ecx + eax + 4], 0
            //   ba08000000           | mov                 edx, 8

        $sequence_8 = { 0bca 894dfc 8b45fc c1e008 b901000000 }
            // n = 5, score = 600
            //   0bca                 | or                  ecx, edx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   c1e008               | shl                 eax, 8
            //   b901000000           | mov                 ecx, 1

        $sequence_9 = { 8b0401 50 e8???????? 83c408 8945ec 8955f0 }
            // n = 6, score = 600
            //   8b0401               | mov                 eax, dword ptr [ecx + eax]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx

        $sequence_10 = { c744010400000000 ba08000000 6bc200 8b4d08 }
            // n = 4, score = 600
            //   c744010400000000     | mov                 dword ptr [ecx + eax + 4], 0
            //   ba08000000           | mov                 edx, 8
            //   6bc200               | imul                eax, edx, 0
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_11 = { 8b4508 c704107465206b c745fc00000000 eb09 }
            // n = 4, score = 600
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   c704107465206b       | mov                 dword ptr [eax + edx], 0x6b206574
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   eb09                 | jmp                 0xb

        $sequence_12 = { 744a 837dd801 7444 8b55ec 52 ff15???????? 8d45ac }
            // n = 7, score = 600
            //   744a                 | je                  0x4c
            //   837dd801             | cmp                 dword ptr [ebp - 0x28], 1
            //   7444                 | je                  0x46
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8d45ac               | lea                 eax, [ebp - 0x54]

        $sequence_13 = { e8???????? 83c410 c78574ffffff00000000 eb0f }
            // n = 4, score = 600
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   c78574ffffff00000000     | mov    dword ptr [ebp - 0x8c], 0
            //   eb0f                 | jmp                 0x11

        $sequence_14 = { 57 b808000000 6bc80a 8b5508 c7040a00000000 c7440a0400000000 c745fc00000000 }
            // n = 7, score = 600
            //   57                   | push                edi
            //   b808000000           | mov                 eax, 8
            //   6bc80a               | imul                ecx, eax, 0xa
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   c7040a00000000       | mov                 dword ptr [edx + ecx], 0
            //   c7440a0400000000     | mov                 dword ptr [edx + ecx + 4], 0
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0

        $sequence_15 = { 51 e8???????? 83c408 8945f4 8955f8 }
            // n = 5, score = 600
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8955f8               | mov                 dword ptr [ebp - 8], edx

    condition:
        7 of them and filesize < 183296
}
Download all Yara Rules