Babuk is a ransomware family discovered in early 2021 that has breached at least five large enterprises and extorted at least one victim for $85,000, with stolen data posted to a public leak site. McAfee analysis links Babuk to similar RaaS behaviors, recruitment on underground forums, and code artifacts resembling Vasa Locker. #Babuk #VasaLocker
Keypoints
- Babuk ransomware emerged in early 2021 and has impacted at least five enterprises, with one confirmed ransom payment of $85,000.
- Operators use targeted Ransomware-as-a-Service (RaaS) methods, recruiting affiliates on both English- and Russian-language forums.
- McAfee telemetry (MVISION Insights) shows targeting across transportation, healthcare, plastics, electronics, and agriculture sectors globally.
- Babukβs code and artifacts are highly similar to Vasa Locker, and the group publishes stolen data on a public leak site (hxxp://gtmx56k4hutn3ikv.onion/).
- Common entry vectors observed or expected include spearphishing, exploitation of public-facing apps, and use of valid accounts (including RDP and credentials from infostealers).
- The ransomware supports command-line operation, has built-in propagation/encryption commands, kills specified services/processes, and recent samples have been seen packed.
MITRE Techniques
- [T1566.001] E-mail Spearphishing β Used as a common initial foothold to engage targets or deliver a loader (βE-mail Spearphishing (T1566.001). Often used to directly engage and/or gain an initial foothold, the initial phishing email can also be linked to a different malware strain, which acts as a loader and entry point for the ransomware gangs to continue completely compromising a victimβs network.β).
- [T1190] Exploit Public-Facing Application β Exploitation of internet-facing services is cited as another frequent entry vector (βExploit Public-Facing Application (T1190) is another common entry vector; cyber criminals are avid consumers of security news and are always on the lookout for a good exploit.β).
- [T1078] Valid Accounts β Use of stolen or weak credentials (e.g., RDP/VPN) to gain access is highlighted as a proven method (βUsing valid accounts (T1078) is and has been a proven method for cybercriminals to gain a foothold. After all, why break the door if you have the keys?β).
Indicators of Compromise
- [Onion leak site] Public data leak site used by operators β hxxp://gtmx56k4hutn3ikv.onion/
- [Detection name / hash] DAT/report detection naming β Ransom-Babuk!<hash> (example detection format), and other file hashes referenced in the technical report.
- [Binary/family] Malware family and packed samples β Babuk ransomware binary (recent variant observed packed) and associated artifacts referenced in McAfee analysis.