Technical difficulties associated with the creation of new ransomware variants to target Linux and Unix, and VMware ESXi systems, may have forced the Babuk ransomware gang to change up their tactics, according to new research by McAfee researcher Thibault Seret and Noël Keijzer, a digital forensics and incident response specialist at Dutch security firm Northwave.
Babuk, a relatively unsophisticated yet still highly dangerous ransomware, first emerged earlier in 2021, and the people behind it aggressively went after a number of high-profile targets.
At the time, McAfee’s research team found the ransomware operators were experimenting with writing their binaries in the cross-platform Golang, or Go, language, and making a lot of mistakes in the process – a phenomena also observed by BlackBerry.
According to Seret and Keijzer, the gang’s coding errors may have come back to haunt them. They wrote: “This led to a situation in which files could not be retrieved, even if payment was made.
“The design and coding of the decryption tool are poorly developed, meaning if companies decide to pay the ransom, the decoding process for encrypted files can be really slow and there is no guarantee that all files will be recoverable.”
Then, in April 2021, the operators announced they would stop encrypting their victims’ systems and instead focus on exfiltrating and publishing data from those who were unresponsive to its extortion attempts, as well as hosting the publishing data for other ransomware operators, in effect moving towards an illicit data management business model.
The researchers now think the damage the gang caused by operating with technically flawed ransomware was hurting their ability to turn a profit.
“Ultimately, the difficulties faced by the Babuk developers in creating ESXi ransomware may have led to a change in business model, from encryption to data theft and extortion,” wrote Seret and Keijzer.
Overall, the Babuk decryptor failed because it only checked for the file extension .babyk, which meant it missed any files the victim might have renamed to try to recover them, but there were a number of other issues with it. More details of exactly how bad the decryptor was, and the errors that crept in, can be read in Seret and Keijzer’s full report.
Users of McAfee’s technology are protected from Babuk, but others should be on the lookout for a number of tactics, techniques and procedures (TTPs) that are, overall, similar to those used by other competitive ransomware-as-a-service (RaaS) operations.
Notably, in Babuk’s case, the gang has previously tried to recruit individuals with penetration testing skills, so security teams should be on the lookout for any activity that correlates to open source hacking tools, such as winPEAS, Bloodhound and SharpHound, and – it almost goes without saying – the Cobalt Strike framework.
Dodgy behaviour from non-malicious tools with a dual use, such as ADfind, PSExec and PowerShell, may also suggest a Babuk affiliate is sniffing around.
Entry vectors favoured by Babuk have included: targeted spear-phishing emails; the exploit of disclosed unpatched common vulnerabilities and exposures (CVEs) or zero-days in public-facing applications; and the use of valid accounts gleaned through weakly protected Remote Desktop Protocol (RDP) access.
More guidance on locking down such entry points and mitigating ransomware attacks is available from the UK’s National Cyber Security Centre.