SYMBOLCOMMON_NAMEaka. SYNONYMS
win.babuk (Back to overview)

Babuk

aka: Babyk, Vasa Locker

Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.

References
2021-10-01ZeroFoxStephan Simon
@online{simon:20211001:babuk:9bce12b, author = {Stephan Simon}, title = {{Babuk Ransomware Variant Delta Plus Used in Live Attacks After Source Code Leaked}}, date = {2021-10-01}, organization = {ZeroFox}, url = {https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/}, language = {English}, urldate = {2021-10-11} } Babuk Ransomware Variant Delta Plus Used in Live Attacks After Source Code Leaked
Babuk
2021-09-10S2W LAB Inc.S2W TALON
@online{talon:20210910:groove:3dab88b, author = {S2W TALON}, title = {{Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter}}, date = {2021-09-10}, organization = {S2W LAB Inc.}, url = {https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d}, language = {English}, urldate = {2021-09-14} } Groove x RAMP : The relation between Groove, Babuk, Payload.bin, RAMP, and BlackMatter
Babuk BlackMatter Babuk BlackMatter
2021-09-09Advanced IntelligenceYelisey Boguslavskiy, Anastasia Sentsova
@online{boguslavskiy:20210909:groove:f678f6d, author = {Yelisey Boguslavskiy and Anastasia Sentsova}, title = {{Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings}}, date = {2021-09-09}, organization = {Advanced Intelligence}, url = {https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings}, language = {English}, urldate = {2021-09-12} } Groove VS Babuk; Groove Ransom Manifesto & RAMP Underground Platform Secret Inner Workings
Babuk Babuk
2021-09-08Medium s2wlabS2W TALON
@online{talon:20210908:grooves:64ea498, author = {S2W TALON}, title = {{Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands}}, date = {2021-09-08}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2}, language = {English}, urldate = {2021-09-12} } Groove’s thoughts on Blackmatter, Babuk, and cheese shortages in the Netherlands
Babuk BlackMatter Babuk BlackMatter
2021-09-08McAfeeMax Kersten, John Fokker, Thibault Seret
@online{kersten:20210908:how:5c39aac, author = {Max Kersten and John Fokker and Thibault Seret}, title = {{How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates}}, date = {2021-09-08}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/}, language = {English}, urldate = {2021-09-12} } How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates
Babuk BlackMatter Babuk BlackMatter CTB Locker
2021-09-01Medium s2wlabS2W LAB INTELLIGENCE TEAM, Denise Dasom Kim, Jungyeon Lim, Yeonghyeon Jeong, Sujin Lim, Chaewon Moon
@online{team:20210901:blackmatter:6a2a025, author = {S2W LAB INTELLIGENCE TEAM and Denise Dasom Kim and Jungyeon Lim and Yeonghyeon Jeong and Sujin Lim and Chaewon Moon}, title = {{BlackMatter x Babuk : Using the same web server for sharing leaked files}}, date = {2021-09-01}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751}, language = {English}, urldate = {2021-09-06} } BlackMatter x Babuk : Using the same web server for sharing leaked files
Babuk BlackMatter Babuk BlackMatter
2021-08-05KrebsOnSecurityBrian Krebs
@online{krebs:20210805:ransomware:0962b82, author = {Brian Krebs}, title = {{Ransomware Gangs and the Name Game Distraction}}, date = {2021-08-05}, organization = {KrebsOnSecurity}, url = {https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/}, language = {English}, urldate = {2021-08-06} } Ransomware Gangs and the Name Game Distraction
DarkSide RansomEXX Babuk Cerber Conti DarkSide DoppelPaymer Egregor FriedEx Gandcrab Hermes Ransomware Maze RansomEXX REvil Ryuk Sekhmet
2021-07-28McAfeeThibault Seret, Noël Keijzer
@techreport{seret:20210728:babuk:6d1325e, author = {Thibault Seret and Noël Keijzer}, title = {{Babuk: Moving to VM and *nix Systems Before Stepping Away}}, date = {2021-07-28}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf}, language = {English}, urldate = {2021-07-29} } Babuk: Moving to VM and *nix Systems Before Stepping Away
Babuk
2021-07-28KELAVictoria Kivilevich
@online{kivilevich:20210728:new:7d537c8, author = {Victoria Kivilevich}, title = {{New Russian-Speaking Forum – A New Place for RaaS?}}, date = {2021-07-28}, organization = {KELA}, url = {https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/}, language = {English}, urldate = {2021-07-29} } New Russian-Speaking Forum – A New Place for RaaS?
Babuk
2021-07-05Lab52Th3spis
@online{th3spis:20210705:quick:b0fddf2, author = {Th3spis}, title = {{Quick review of Babuk ransomware builder}}, date = {2021-07-05}, organization = {Lab52}, url = {https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/}, language = {English}, urldate = {2021-07-12} } Quick review of Babuk ransomware builder
Babuk
2021-07-04Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20210704:babuk:3ba79a8, author = {Marco Ramilli}, title = {{Babuk Ransomware: The Builder}}, date = {2021-07-04}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/}, language = {English}, urldate = {2021-07-06} } Babuk Ransomware: The Builder
Babuk Babuk
2021-07-01BleepingComputerIonut Ilascu
@online{ilascu:20210701:babuk:81a1235, author = {Ionut Ilascu}, title = {{Babuk ransomware is back, uses new version on corporate networks}}, date = {2021-07-01}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/}, language = {English}, urldate = {2021-07-02} } Babuk ransomware is back, uses new version on corporate networks
Babuk
2021-06-30BleepingComputerLawrence Abrams
@online{abrams:20210630:leaked:ea62d8a, author = {Lawrence Abrams}, title = {{Leaked Babuk Locker ransomware builder used in new attacks}}, date = {2021-06-30}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/}, language = {English}, urldate = {2021-07-02} } Leaked Babuk Locker ransomware builder used in new attacks
Babuk
2021-06-27Twitter (@GossiTheDog)Kevin Beaumont
@online{beaumont:20210627:babuk:a031da5, author = {Kevin Beaumont}, title = {{Tweet on babuk ransomware builder}}, date = {2021-06-27}, organization = {Twitter (@GossiTheDog)}, url = {https://twitter.com/GossiTheDog/status/1409117153182224386}, language = {English}, urldate = {2021-07-01} } Tweet on babuk ransomware builder
Babuk
2021-06-27The RecordCatalin Cimpanu
@online{cimpanu:20210627:builder:40a8c38, author = {Catalin Cimpanu}, title = {{Builder for Babuk Locker ransomware leaked online}}, date = {2021-06-27}, organization = {The Record}, url = {https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/}, language = {English}, urldate = {2021-06-29} } Builder for Babuk Locker ransomware leaked online
Babuk
2021-06-10McAfeeATR Operational Intelligence Team
@online{team:20210610:are:14ab8d0, author = {ATR Operational Intelligence Team}, title = {{Are Virtual Machines the New Gold for Cyber Criminals?}}, date = {2021-06-10}, organization = {McAfee}, url = {https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/}, language = {English}, urldate = {2021-06-21} } Are Virtual Machines the New Gold for Cyber Criminals?
Babuk DarkSide
2021-06-06Bleeping ComputerLawrence Abrams
@online{abrams:20210606:new:8c47cad, author = {Lawrence Abrams}, title = {{New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions}}, date = {2021-06-06}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/}, language = {English}, urldate = {2021-06-16} } New Evil Corp ransomware mimics PayloadBin gang to evade US sanctions
Babuk FriedEx WastedLocker
2021-06-03Medium s2wlabHyunmin Suh, Denise Dasom Kim, Jungyeon Lim, YH Jeong
@online{suh:20210603:w1:f034ac8, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim and YH Jeong}, title = {{W1 Jun | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-06-03}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b}, language = {English}, urldate = {2021-06-16} } W1 Jun | EN | Story of the week: Ransomware on the Darkweb
DarkSide Babuk DarkSide
2021-05-31DataBreaches.netDissent
@online{dissent:20210531:babuk:4915c4b, author = {Dissent}, title = {{Babuk re-organizes as Payload Bin, offers its first leak}}, date = {2021-05-31}, organization = {DataBreaches.net}, url = {https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/}, language = {English}, urldate = {2021-06-04} } Babuk re-organizes as Payload Bin, offers its first leak
Babuk HelloKitty
2021-05-25Medium s2wlabHyunmin Suh, Denise Dasom Kim, Jungyeon Lim
@online{suh:20210525:w4:b927684, author = {Hyunmin Suh and Denise Dasom Kim and Jungyeon Lim}, title = {{W4 May | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-05-25}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f}, language = {English}, urldate = {2021-06-16} } W4 May | EN | Story of the week: Ransomware on the Darkweb
Babuk REvil
2021-05-12KasperskyDmitry Galov, Leonid Bezvershenko, Ivan Kwiatkowski
@online{galov:20210512:ransomware:439cee0, author = {Dmitry Galov and Leonid Bezvershenko and Ivan Kwiatkowski}, title = {{Ransomware world in 2021: who, how and why}}, date = {2021-05-12}, organization = {Kaspersky}, url = {https://securelist.com/ransomware-world-in-2021/102169/}, language = {English}, urldate = {2021-05-13} } Ransomware world in 2021: who, how and why
Babuk REvil
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-05-07Bleeping ComputerLawrence Abrams
@online{abrams:20210507:data:c674b2b, author = {Lawrence Abrams}, title = {{Data leak marketplaces aim to take over the extortion economy}}, date = {2021-05-07}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/}, language = {English}, urldate = {2021-05-08} } Data leak marketplaces aim to take over the extortion economy
Babuk Maze
2021-04-29Sekurak.plSekurak
@online{sekurak:20210429:udao:8043e83, author = {Sekurak}, title = {{Udało nam się zrealizować wywiad z grupą ransomware (Babuk), która zaszyfrowała policję metropolitarną w Waszyngtonie}}, date = {2021-04-29}, organization = {Sekurak.pl}, url = {https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/}, language = {Polish}, urldate = {2021-05-03} } Udało nam się zrealizować wywiad z grupą ransomware (Babuk), która zaszyfrowała policję metropolitarną w Waszyngtonie
Babuk
2021-04-25Vulnerability.ch BlogCorsin Camichel
@online{camichel:20210425:ransomware:1a1ee7f, author = {Corsin Camichel}, title = {{Ransomware and Data Leak Site Publication Time Analysis}}, date = {2021-04-25}, organization = {Vulnerability.ch Blog}, url = {https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/}, language = {English}, urldate = {2021-04-29} } Ransomware and Data Leak Site Publication Time Analysis
Avaddon Babuk Clop Conti DarkSide DoppelPaymer Mespinoza Nefilim REvil
2021-02-24McAfeeAlexandre Mundo, Thibault Seret, Thomas Roccia, John Fokker
@techreport{mundo:20210224:technical:4d09445, author = {Alexandre Mundo and Thibault Seret and Thomas Roccia and John Fokker}, title = {{Technical Analysis of Babuk Ransomware}}, date = {2021-02-24}, institution = {McAfee}, url = {https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf}, language = {English}, urldate = {2021-02-25} } Technical Analysis of Babuk Ransomware
Babuk
2021-02-08Medium Sebdravensebdraven
@online{sebdraven:20210208:babuk:138756c, author = {sebdraven}, title = {{Babuk is distributed packed}}, date = {2021-02-08}, organization = {Medium Sebdraven}, url = {https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62}, language = {English}, urldate = {2021-02-09} } Babuk is distributed packed
Babuk
2021-02-05Trend MicroRaphael Centeno, Monte de Jesus, Don Ovid Ladores, Junestherry Salvador, Nikko Tamana, Llalum Victoria
@online{centeno:20210205:new:33e89f1, author = {Raphael Centeno and Monte de Jesus and Don Ovid Ladores and Junestherry Salvador and Nikko Tamana and Llalum Victoria}, title = {{New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker}}, date = {2021-02-05}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html}, language = {English}, urldate = {2021-02-09} } New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker
Babuk TeslaCrypt
2021-02-02Bleeping ComputerLawrence Abrams
@online{abrams:20210202:babyk:0f0a60d, author = {Lawrence Abrams}, title = {{Babyk Ransomware won't hit charities, unless they support LGBT, BLM}}, date = {2021-02-02}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/}, language = {English}, urldate = {2021-02-04} } Babyk Ransomware won't hit charities, unless they support LGBT, BLM
Babuk
2021-01-26Medium s2wlabHyunmin Suh
@online{suh:20210126:w4:138a143, author = {Hyunmin Suh}, title = {{W4 Jan | EN | Story of the week: Ransomware on the Darkweb}}, date = {2021-01-26}, organization = {Medium s2wlab}, url = {https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1}, language = {English}, urldate = {2021-01-27} } W4 Jan | EN | Story of the week: Ransomware on the Darkweb
Avaddon Babuk LockBit
2021-01-16Chuongdong blogChuong Dong
@online{dong:20210116:babuk:31553f3, author = {Chuong Dong}, title = {{Babuk Ransomware v3}}, date = {2021-01-16}, organization = {Chuongdong blog}, url = {https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/}, language = {English}, urldate = {2021-05-13} } Babuk Ransomware v3
Babuk
2021-01-05Twitter (@Sebdraven)Sébastien Larinier
@online{larinier:20210105:link:91ecfb1, author = {Sébastien Larinier}, title = {{Tweet on link between Babuk and Vasa locker}}, date = {2021-01-05}, organization = {Twitter (@Sebdraven)}, url = {https://twitter.com/Sebdraven/status/1346377590525845504}, language = {English}, urldate = {2021-01-10} } Tweet on link between Babuk and Vasa locker
Babuk
2021-01-03Chuongdong blogChuong Dong
@online{dong:20210103:babuk:b5b2e9e, author = {Chuong Dong}, title = {{Babuk Ransomware}}, date = {2021-01-03}, organization = {Chuongdong blog}, url = {http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/}, language = {English}, urldate = {2021-01-21} } Babuk Ransomware
Babuk
2021SogetiSogeti
@techreport{sogeti:2021:babuk:607b96e, author = {Sogeti}, title = {{Babuk ransomware}}, date = {2021}, institution = {Sogeti}, url = {https://www.fr.sogeti.com/globalassets/france/avis-dexperts--livres-blancs/cybersecchronicles_-_babuk.pdf}, language = {English}, urldate = {2021-05-17} } Babuk ransomware
Babuk
Yara Rules
[TLP:WHITE] win_babuk_auto (20211008 | Detects win.babuk.)
rule win_babuk_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-10-07"
        version = "1"
        description = "Detects win.babuk."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk"
        malpedia_rule_date = "20211007"
        malpedia_hash = "e5b790e0f888f252d49063a1251ca60ec2832535"
        malpedia_version = "20211008"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4d08 51 6a13 6a00 6a02 }
            // n = 5, score = 900
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   6a13                 | push                0x13
            //   6a00                 | push                0
            //   6a02                 | push                2

        $sequence_1 = { 8d45f0 50 8b4d08 51 6a13 6a00 }
            // n = 6, score = 900
            //   8d45f0               | lea                 eax, dword ptr [ebp - 0x10]
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   6a13                 | push                0x13
            //   6a00                 | push                0

        $sequence_2 = { ff15???????? 85c0 0f85ea000000 ff15???????? }
            // n = 4, score = 900
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85ea000000         | jne                 0xf0
            //   ff15????????         |                     

        $sequence_3 = { c1e005 034508 50 e8???????? 83c404 }
            // n = 5, score = 900
            //   c1e005               | shl                 eax, 5
            //   034508               | add                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_4 = { 51 ff15???????? 85c0 0f8490000000 }
            // n = 4, score = 900
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f8490000000         | je                  0x96

        $sequence_5 = { 50 8b4d08 51 6a13 6a00 6a02 e8???????? }
            // n = 7, score = 900
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   6a13                 | push                0x13
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   e8????????           |                     

        $sequence_6 = { 51 ff15???????? 85c0 0f85ea000000 ff15???????? }
            // n = 5, score = 900
            //   51                   | push                ecx
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   0f85ea000000         | jne                 0xf0
            //   ff15????????         |                     

        $sequence_7 = { 8b4d08 8b54010c 83e202 7414 }
            // n = 4, score = 900
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b54010c             | mov                 edx, dword ptr [ecx + eax + 0xc]
            //   83e202               | and                 edx, 2
            //   7414                 | je                  0x16

        $sequence_8 = { c1e005 8b4d08 8b54010c 83e202 }
            // n = 4, score = 900
            //   c1e005               | shl                 eax, 5
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b54010c             | mov                 edx, dword ptr [ecx + eax + 0xc]
            //   83e202               | and                 edx, 2

        $sequence_9 = { e8???????? 6a07 6a00 6a00 ff15???????? }
            // n = 5, score = 900
            //   e8????????           |                     
            //   6a07                 | push                7
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 183296
}
Download all Yara Rules