SYMBOLCOMMON_NAMEaka. SYNONYMS
win.babuk (Back to overview)

Babuk

aka: Babyk, Vasa Locker

Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.

References
2022-12-07MorphisecMorphisec Labs
@online{labs:20221207:new:b712384, author = {Morphisec Labs}, title = {{New Babuk Ransomware Found in Major Attack}}, date = {2022-12-07}, organization = {Morphisec}, url = {https://blog.morphisec.com/babuk-ransomware-variant-major-attack}, language = {English}, urldate = {2022-12-29} } New Babuk Ransomware Found in Major Attack
Babuk
2022-08-24Trend MicroRyan Soliven, Hitomi Kimura
@online{soliven:20220824:ransomware:a88ee05, author = {Ryan Soliven and Hitomi Kimura}, title = {{Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus}}, date = {2022-08-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html}, language = {English}, urldate = {2022-09-20} } Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus
Babuk
2022-08-24Trend MicroRyan Soliven, Hitomi Kimura
@online{soliven:20220824:ransomware:20db707, author = {Ryan Soliven and Hitomi Kimura}, title = {{Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus (IoCs)}}, date = {2022-08-24}, organization = {Trend Micro}, url = {https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/IOCs-blog-Ransomware%20Actor%20Abuses%20Genshin%20Impact%20Anti-Cheat%20Driver%20to%20Kill%20Antivirus.txt}, language = {English}, urldate = {2022-08-30} } Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus (IoCs)
Babuk
2022-06-13Jorge TestaJorge Testa
@online{testa:20220613:killing:36e9385, author = {Jorge Testa}, title = {{Killing The Bear - Evil Corp}}, date = {2022-06-13}, organization = {Jorge Testa}, url = {https://killingthebear.jorgetesta.tech/actors/evil-corp}, language = {English}, urldate = {2022-07-01} } Killing The Bear - Evil Corp
FAKEUPDATES Babuk Blister DoppelPaymer Dridex Entropy FriedEx Hades Macaw Phoenix Locker WastedLoader WastedLocker
2022-05-06cybleCyble Research Labs
@online{labs:20220506:rebranded:5c7bea5, author = {Cyble Research Labs}, title = {{Rebranded Babuk Ransomware In Action: DarkAngels Ransomware Performs Targeted Attack}}, date = {2022-05-06}, organization = {cyble}, url = {https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/}, language = {English}, urldate = {2022-05-11} } Rebranded Babuk Ransomware In Action: DarkAngels Ransomware Performs Targeted Attack
Babuk
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-03-24SentinelOneAntonio Cocomazzi
@techreport{cocomazzi:20220324:ransomware:be706fa, author = {Antonio Cocomazzi}, title = {{Ransomware Encryption Internals: A Behavioral Characterization}}, date = {2022-03-24}, institution = {SentinelOne}, url = {https://raw.githubusercontent.com/antonioCoco/infosec-talks/main/InsomniHack_2022_Ransomware_Encryption_Internals.pdf}, language = {English}, urldate = {2022-03-25} } Ransomware Encryption Internals: A Behavioral Characterization
Babuk Babuk BlackMatter
2022-03-23splunkShannon Davis
@online{davis:20220323:gone:56f570f, author = {Shannon Davis}, title = {{Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed}}, date = {2022-03-23}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/gone-in-52-seconds-and-42-minutes-a-comparative-analysis-of-ransomware-encryption-speed.html}, language = {English}, urldate = {2022-03-25} } Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-23splunkShannon Davis, SURGe
@techreport{davis:20220223:empirically:fe03729, author = {Shannon Davis and SURGe}, title = {{An Empirically Comparative Analysis of Ransomware Binaries}}, date = {2022-02-23}, institution = {splunk}, url = {https://www.splunk.com/en_us/pdfs/resources/whitepaper/an-empirically-comparative-analysis-of-ransomware-binaries.pdf}, language = {English}, urldate = {2022-03-25} } An Empirically Comparative Analysis of Ransomware Binaries
Avaddon Babuk BlackMatter Conti DarkSide LockBit Maze Mespinoza REvil Ryuk
2022-02-14KrebsOnSecurityBrian Krebs
@online{krebs:20220214:wazawaka:abd559f, author = {Brian Krebs}, title = {{Wazawaka Goes Waka Waka}}, date = {2022-02-14}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2022/02/wazawaka-goes-waka-waka/}, language = {English}, urldate = {2022-02-19} } Wazawaka Goes Waka Waka
Babuk
2021-11-03Cisco TalosChetan Raghuprasad, Vanja Svajcer, Caitlin Huey
@online{raghuprasad:20211103:microsoft:2b6de43, author = {Chetan Raghuprasad and Vanja Svajcer and Caitlin Huey}, title = {{Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk}}, date = {2021-11-03}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html}, language = {English}, urldate = {2021-11-03} } Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
Babuk CHINACHOPPER
2021-10-26Github (vc0RExor)Aaron Jornet
@techreport{jornet:20211026:babuk:6e0cc22, author = {Aaron Jornet}, title = {{Babuk Ransomware}}, date = {2021-10-26}, institution = {Github (vc0RExor)}, url = {https://raw.githubusercontent.com/vc0RExor/Malware-Threat-Reports/main/Ransomware/Babuk/Babuk_Ransomware_EN_2021_05.pdf}, language = {English}, urldate = {2022-01-25} } Babuk Ransomware
Babuk
2021-10-18McAfeeThibault Seret
@online{seret:20211018:is:b238cf8, author = {Thibault Seret}, title = {{Is There Really Such a Thing as a Low-Paid Ransomware Operator?}}, date = {2021-10-18}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/is-there-really-such-a-thing-as-a-low-paid-ransomware-operator/}, language = {English}, urldate = {2021-10-26} } Is There Really Such a Thing as a Low-Paid Ransomware Operator?
Babuk
2021-10-12CrowdStrikeCrowdStrike Intelligence Team
@online{team:20211012:ecx:5540ee9, author = {CrowdStrike Intelligence Team}, title = {{ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity}}, date = {2021-10-12}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/big-game-hunting-on-the-rise-again-according-to-ecrime-index/}, language = {English}, urldate = {2021-11-02} } ECX: Big Game Hunting on the Rise Following a Notable Reduction in Activity
Babuk BlackMatter DarkSide REvil Avaddon Babuk BlackMatter DarkSide LockBit Mailto REvil
2021-10-01ZeroFoxStephan Simon
@online{simon:20211001:babuk:9bce12b, author = {Stephan Simon}, title = {{Babuk Ransomware Variant Delta Plus Used in Live Attacks After Source Code Leaked}}, date = {2021-10-01}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/}, language = {English}, urldate = {2021-10-11} } Babuk Ransomware Variant Delta Plus Used in Live Attacks After Source Code Leaked
Babuk
2021-09-10S2W LAB Inc.S2W TALON
@online{talon:20210910:groove:3dab88b, author = {S2W TALON}, title = {{Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter}}, date = {2021-09-10}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d}, language = {English}, urldate = {2021-09-14} } Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-09Advanced IntelligenceYelisey Boguslavskiy, Anastasia Sentsova
@online{boguslavskiy:20210909:groove:f678f6d, author = {Yelisey Boguslavskiy and Anastasia Sentsova}, title = {{Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings}}, date = {2021-09-09}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings}, language = {English}, urldate = {2021-09-12} } Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
Babuk Babuk
2021-09-08Medium s2wlabS2W TALON
@online{talon:20210908:grooves:64ea498, author = {S2W TALON}, title = {{Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands}}, date = {2021-09-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2}, language = {English}, urldate = {2021-09-12} } Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-08McAfeeMax Kersten, John Fokker, Thibault Seret
@online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-01Medium s2wlabS2W LAB INTELLIGENCE TEAM, Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon
@online{team:20210901:blackmatter:6a2a025, author = {S2W LAB INTELLIGENCE TEAM and Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim and Chaewon Moon}, title = {{BlackMatter x Babuk : Using the same web server for sharing leaked files}}, date = {2021-09-01}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751}, language = {English}, urldate = {2021-09-06} } BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-12-13} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Maze RansomEXX REvil Ryuk Sekhmet
2021-07-28McAfeeThibault Seret, Noël Keijzer
@techreport{seret:20210728:babuk:6d1325e, author = {Thibault Seret and Noël Keijzer}, title = {{Babuk: Moving to VM and *nix Systems Before Stepping Away}}, date = {2021-07-28}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf}, language = {English}, urldate = {2021-07-29} } Babuk: Moving to VM and *nix Systems Before Stepping Away
Babuk
2021-07-28KELAVictoria Kivilevich
@online{kivilevich:20210728:new:7d537c8, author = {Victoria Kivilevich}, title = {{New Russian-Speaking Forum – A New Place for RaaS?}}, date = {2021-07-28}, organization = {KELA}, url = {https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/}, language = {English}, urldate = {2021-07-29} } New Russian-Speaking Forum – A New Place for RaaS?
Babuk
2021-07-05Lab52Th3spis
@online{th3spis:20210705:quick:b0fddf2, author = {Th3spis}, title = {{Quick review of Babuk ransomware builder}}, date = {2021-07-05}, organization = {Lab52}, url = {https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/}, language = {English}, urldate = {2021-07-12} } Quick review of Babuk ransomware builder
Babuk
2021-07-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210704:babuk:3ba79a8, author = {Marco Ramilli}, title = {{Babuk Ransomware: The Builder}}, date = {2021-07-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/}, language = {English}, urldate = {2021-07-06} } Babuk Ransomware: The Builder
Babuk Babuk
2021-07-01BleepingComputerIonut Ilascu
@online{ilascu:20210701:babuk:81a1235, author = {Ionut Ilascu}, title = {{Babuk ransomware is back, uses new version on corporate networks}}, date = {2021-07-01}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/}, language = {English}, urldate = {2021-07-02} } Babuk ransomware is back, uses new version on corporate networks
Babuk
2021-06-30BleepingComputerLawrence Abrams
@online{abrams:20210630:leaked:ea62d8a, author = {Lawrence Abrams}, title = {{Leaked Babuk Locker ransomware builder used in new attacks}}, date = {2021-06-30}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/}, language = {English}, urldate = {2021-07-02} } Leaked Babuk Locker ransomware builder used in new attacks
Babuk
2021-06-27Twitter (@GossiTheDog)Kevin Beaumont
@online{beaumont:20210627:babuk:a031da5, author = {Kevin Beaumont}, title = {{Tweet on babuk ransomware builder}}, date = {2021-06-27}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1409117153182224386}, language = {English}, urldate = {2021-07-01} } Tweet on babuk ransomware builder
Babuk
2021-06-27The RecordCatalin Cimpanu
@online{cimpanu:20210627:builder:40a8c38, author = {Catalin Cimpanu}, title = {{Builder for Babuk Locker ransomware leaked online}}, date = {2021-06-27}, organization = {The Record}, url = {https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/}, language = {English}, urldate = {2021-06-29} } Builder for Babuk Locker ransomware leaked online
Babuk
2021-06-10McAfeeATR Operational Intelligence Team
@online{team:20210610:are:14ab8d0, author = {ATR Operational Intelligence Team}, title = {{Are Virtual Machines the New Gold for Cyber Criminals?}}, date = {2021-06-10}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/}, language = {English}, urldate = {2021-06-21} } Are Virtual Machines the New Gold for Cyber Criminals?
Babuk DarkSide
2021-06-06Bleeping ComputerLawrence Abrams
@online{abrams:20210606:new:8c47cad, author = {Lawrence Abrams}, title = {{New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions}}, date = {2021-06-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/}, language = {English}, urldate = {2021-06-16} } New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions
Babuk FriedEx PayloadBIN WastedLocker
2021-06-03Medium s2wlabHyunmin Suh, Denise Dasom Kim, Jungyeon Lim, YH Jeong
@online{suh:20210603:w1:f034ac8, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim and YH Jeong}, title = {{W1 Jun | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-06-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b}, language = {English}, urldate = {2021-06-16} } W1 Jun | EN | Story of the week: Ransomware on the Darkweb
DarkSide Babuk DarkSide
2021-05-31DataBreaches.netDissent
@online{dissent:20210531:babuk:4915c4b, author = {Dissent}, title = {{Babuk re-organizes as Payload Bin, offers its first leak}}, date = {2021-05-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/}, language = {English}, urldate = {2021-06-04} } Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty
2021-05-25Medium s2wlabHyunmin Suh, Denise Dasom Kim, Jungyeon Lim
@online{suh:20210525:w4:b927684, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim}, title = {{W4 May | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-05-25}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f}, language = {English}, urldate = {2021-06-16} } W4 May | EN | Story of the week: Ransomware on the Darkweb
Babuk REvil
2021-05-12KasperskyDmitry Galov, Leonid Bezvershenko, Ivan Kwiatkowski
@online{galov:20210512:ransomware:439cee0, author = {Dmitry Galov and Leonid Bezvershenko and Ivan Kwiatkowski}, title = {{Ransomware world in 2021: who, how and why}}, date = {2021-05-12}, organization = {Kaspersky}, url = {https://securelist.com/ransomware-world-in-2021/102169/}, language = {English}, urldate = {2021-05-13} } Ransomware world in 2021: who, how and why
Babuk REvil
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Bleeping ComputerLawrence Abrams
@online{abrams:20210507:data:c674b2b, author = {Lawrence Abrams}, title = {{Data leak marketplaces aim to take over the extortion economy}}, date = {2021-05-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/}, language = {English}, urldate = {2021-05-08} } Data leak marketplaces aim to take over the extortion economy
Babuk Maze
2021-04-29Sekurak.plSekurak
@online{sekurak:20210429:udao:8043e83, author = {Sekurak}, title = {{Udało nam się zrealizować wywiad z grupą ransomware (Babuk), która zaszyfrowała policję metropolitarną w Waszyngtonie}}, date = {2021-04-29}, organization = {Sekurak.pl}, url = {https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/}, language = {Polish}, urldate = {2021-05-03} } Udało nam się zrealizować wywiad z grupą ransomware (Babuk), która zaszyfrowała policję metropolitarną w Waszyngtonie
Babuk
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-02-24McAfeeAlexandre Mundo, Thibault Seret, Thomas Roccia, John Fokker
@techreport{mundo:20210224:technical:4d09445, author = {Alexandre Mundo and Thibault Seret and Thomas Roccia and John Fokker}, title = {{Technical Analysis of Babuk Ransomware}}, date = {2021-02-24}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf}, language = {English}, urldate = {2021-02-25} } Technical Analysis of Babuk Ransomware
Babuk
2021-02-08Medium Sebdravensebdraven
@online{sebdraven:20210208:babuk:138756c, author = {sebdraven}, title = {{Babuk is distributed packed}}, date = {2021-02-08}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62}, language = {English}, urldate = {2021-02-09} } Babuk is distributed packed
Babuk
2021-02-05Trend MicroRaphael Centeno, Monte de Jesus, Don Ovid Ladores, Junestherry Salvador, Nikko Tamana, Llalum Victoria
@online{centeno:20210205:new:33e89f1, author = {Raphael Centeno and Monte de Jesus and Don Ovid Ladores and Junestherry Salvador and Nikko Tamana and Llalum Victoria}, title = {{New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker}}, date = {2021-02-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html}, language = {English}, urldate = {2021-02-09} } New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker
Babuk TeslaCrypt
2021-02-02Bleeping ComputerLawrence Abrams
@online{abrams:20210202:babyk:0f0a60d, author = {Lawrence Abrams}, title = {{Babyk Ransomware won't hit charities, unless they support LGBT, BLM}}, date = {2021-02-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/}, language = {English}, urldate = {2021-02-04} } Babyk Ransomware won't hit charities, unless they support LGBT, BLM
Babuk
2021-01-26Medium s2wlabHyunmin Suh
@online{suh:20210126:w4:138a143, author = {Hyunmin Suh}, title = {{W4 Jan | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-01-26}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1}, language = {English}, urldate = {2021-01-27} } W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit
2021-01-16Chuongdong blogChuong Dong
@online{dong:20210116:babuk:31553f3, author = {Chuong Dong}, title = {{Babuk Ransomware v3}}, date = {2021-01-16}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/}, language = {English}, urldate = {2021-05-13} } Babuk Ransomware v3
Babuk
2021-01-05Twitter (@Sebdraven)Sébastien Larinier
@online{larinier:20210105:link:91ecfb1, author = {Sébastien Larinier}, title = {{Tweet on link between Babuk and Vasa locker}}, date = {2021-01-05}, organization = {Twitter (@Sebdraven)}, url = {https://twitter.com/Sebdraven/status/1346377590525845504}, language = {English}, urldate = {2021-01-10} } Tweet on link between Babuk and Vasa locker
Babuk
2021-01-03Chuongdong blogChuong Dong
@online{dong:20210103:babuk:b5b2e9e, author = {Chuong Dong}, title = {{Babuk Ransomware}}, date = {2021-01-03}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/}, language = {English}, urldate = {2021-01-21} } Babuk Ransomware
Babuk
2021SogetiSogeti
@techreport{sogeti:2021:babuk:607b96e, author = {Sogeti}, title = {{Babuk ransomware}}, date = {2021}, institution = {Sogeti}, url = {https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf}, language = {English}, urldate = {2021-05-17} } Babuk ransomware
Babuk
Yara Rules
[TLP:WHITE] win_babuk_auto (20230125 | Detects win.babuk.)
rule win_babuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.babuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 6800000100 e8???????? 83c404 }
            // n = 4, score = 800
            //   ff15????????         |                     
            //   6800000100           | push                0x10000
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 50 ff15???????? 83f803 7502 }
            // n = 4, score = 800
            //   50                   | push                eax
            //   ff15????????         |                     
            //   83f803               | cmp                 eax, 3
            //   7502                 | jne                 4

        $sequence_2 = { 57 b808000000 6bc80a 8b5508 c7040a00000000 }
            // n = 5, score = 600
            //   57                   | push                edi
            //   b808000000           | mov                 eax, 8
            //   6bc80a               | imul                ecx, eax, 0xa
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   c7040a00000000       | mov                 dword ptr [edx + ecx], 0

        $sequence_3 = { b909000000 8dbd6cffffff f3a5 6a24 8b956cffffff 52 8b4598 }
            // n = 7, score = 600
            //   b909000000           | mov                 ecx, 9
            //   8dbd6cffffff         | lea                 edi, [ebp - 0x94]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]
            //   6a24                 | push                0x24
            //   8b956cffffff         | mov                 edx, dword ptr [ebp - 0x94]
            //   52                   | push                edx
            //   8b4598               | mov                 eax, dword ptr [ebp - 0x68]

        $sequence_4 = { 8b5508 c7040a00000000 c7440a0400000000 c745fc00000000 eb09 8b45fc 83c002 }
            // n = 7, score = 600
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   c7040a00000000       | mov                 dword ptr [edx + ecx], 0
            //   c7440a0400000000     | mov                 dword ptr [edx + ecx + 4], 0
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   eb09                 | jmp                 0xb
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83c002               | add                 eax, 2

        $sequence_5 = { 837dfc0a 0f83dc000000 8b4dfc 8b5508 }
            // n = 4, score = 600
            //   837dfc0a             | cmp                 dword ptr [ebp - 4], 0xa
            //   0f83dc000000         | jae                 0xe2
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_6 = { 56 57 c745a400000000 ff15???????? }
            // n = 4, score = 600
            //   56                   | push                esi
            //   57                   | push                edi
            //   c745a400000000       | mov                 dword ptr [ebp - 0x5c], 0
            //   ff15????????         |                     

        $sequence_7 = { ba08000000 6bc200 8b4d08 8b540104 }
            // n = 4, score = 600
            //   ba08000000           | mov                 edx, 8
            //   6bc200               | imul                eax, edx, 0
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b540104             | mov                 edx, dword ptr [ecx + eax + 4]

        $sequence_8 = { 8955f0 b908000000 6bf100 8b45ec 8b55f0 b11a }
            // n = 6, score = 600
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   b908000000           | mov                 ecx, 8
            //   6bf100               | imul                esi, ecx, 0
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   b11a                 | mov                 cl, 0x1a

        $sequence_9 = { 8945e4 8b4de4 83e909 894de4 837de419 7763 }
            // n = 6, score = 600
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   83e909               | sub                 ecx, 9
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   837de419             | cmp                 dword ptr [ebp - 0x1c], 0x19
            //   7763                 | ja                  0x65

        $sequence_10 = { 8b1481 8b4518 8b4d08 031481 8b4514 8b4d08 891481 }
            // n = 7, score = 600
            //   8b1481               | mov                 edx, dword ptr [ecx + eax*4]
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   031481               | add                 edx, dword ptr [ecx + eax*4]
            //   8b4514               | mov                 eax, dword ptr [ebp + 0x14]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   891481               | mov                 dword ptr [ecx + eax*4], edx

        $sequence_11 = { 8b0cca 51 e8???????? 83c408 8945f4 8955f8 8b45f4 }
            // n = 7, score = 600
            //   8b0cca               | mov                 ecx, dword ptr [edx + ecx*8]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8955f8               | mov                 dword ptr [ebp - 8], edx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_12 = { 8b4d08 c7040100000000 c744010400000000 ba08000000 6bc200 }
            // n = 5, score = 600
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   c7040100000000       | mov                 dword ptr [ecx + eax], 0
            //   c744010400000000     | mov                 dword ptr [ecx + eax + 4], 0
            //   ba08000000           | mov                 edx, 8
            //   6bc200               | imul                eax, edx, 0

        $sequence_13 = { 7460 8d4db0 51 6a01 }
            // n = 4, score = 600
            //   7460                 | je                  0x62
            //   8d4db0               | lea                 ecx, [ebp - 0x50]
            //   51                   | push                ecx
            //   6a01                 | push                1

        $sequence_14 = { 52 8b0401 50 e8???????? 83c408 8945ec 8955f0 }
            // n = 7, score = 600
            //   52                   | push                edx
            //   8b0401               | mov                 eax, dword ptr [ecx + eax]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx

        $sequence_15 = { 8b948d70fdffff 89948508fdffff 8b85ecfdffff 83c001 8985ecfdffff eba4 }
            // n = 6, score = 600
            //   8b948d70fdffff       | mov                 edx, dword ptr [ebp + ecx*4 - 0x290]
            //   89948508fdffff       | mov                 dword ptr [ebp + eax*4 - 0x2f8], edx
            //   8b85ecfdffff         | mov                 eax, dword ptr [ebp - 0x214]
            //   83c001               | add                 eax, 1
            //   8985ecfdffff         | mov                 dword ptr [ebp - 0x214], eax
            //   eba4                 | jmp                 0xffffffa6

    condition:
        7 of them and filesize < 183296
}
Download all Yara Rules