The recently leaked Babuk Locker ransomware builder was used by a threat actor in an ongoing campaign targeting victims worldwide.
At the end of June, The Record first reported that the builder for the Babuk Locker ransomware was leaked online allowing threat actors to use it to create their own version of the popular ransomware.
The Babuk Locker operators halted their operations at the end of April after the attack against the Washington, DC police department. Experts believe that the decision of the group to leave the ransomware practice could be the result of an operational error, it was a bad idea to threaten the US police department due to the information that it manages.
The ransomware gang broke into the Washington, D.C., Metropolitan Police Department, encrypted its files and demanded a $4 million ransom.
At the end of May, the Babuk ransomware operators rebranded their ransomware leak site into Payload.bin and started offering the opportunity to other gangs to use it to leak data stolen from their victims.
The Record experts this week obtained and analyzed a copy of the builder and confirmed that it allows creating custom versions of the Babuk Locker ransomware that works for Windows systems, ARM-based network storage attached (NAS) devices, and VMWare ESXi servers.
“According to a copy of the leak, obtained and tested by The Record, the Babuk Locker “builder” can be used to create custom versions of the Babuk Locker ransomware that can be used to encrypt files hosted on Windows systems, ARM-based network storage attached (NAS) devices, and VMWare ESXi servers.” reported The Record. “At the time of writing, it is unclear if the Babuk gang tried to sell their ransomware builder to a third party in a transaction that went bad, or if the builder was leaked by a rival or a white-hat security researcher.”
The available builder also generates decrypters that could be used by victims to recover the encrypted files.
The builder was uploaded on the VirusTotal malware scanning service and was discovered by the popular cybersecurity expert Kevin Beaumont.
Ransomware leak time – Babuk's builder. Used for making Babuk payloads and decryption.
builder.exe foldername, e.g. builder.exe victim will spit out payloads for:
Windows, VMware ESXi, network attached storage x86 and ARM.
note.txt must contain ransom.https://t.co/K3J3zr1XBv pic.twitter.com/1bl7oc0TvO
— Kevin Beaumont (@GossiTheDog) June 27, 2021
The builder allows customizing ransomware encryptors and decryptors and the ransom note.
BleepingComputer tested the builder and confirmed that the ransomware could target Windows, VMware ESXi, Network Attached Storage (NAS) x86, and NAS ARM devices.
Source: BleepingComputer.com
Soon after the builder was leaked online, a threat actor began using it to launch a very active ransomware campaign.
Now BleepingComputer reported the use of the builder in a fresh attack, this week a victim reported on Reddit that they were hit by the ‘Babuk Locker.’
MalwareHunterTeam researchers reported multiple Babuk Locker submissions from organizations worldwide starting on June 29th.
Finally confirmed for sure that Babuck ransomware is really Babuk with a different note.
Sample: c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24
From (opendir): https://etherbonus[.]net/crypto.exe@demonslay335 pic.twitter.com/2rvpo3zRNo— MalwareHunterTeam (@malwrhunterteam) July 1, 2021
Other researchers confirmed the ongoing campaign.
We've aggregated fresh Babuk samples courtesy of @malwrhunterteam. You can download the Babuk samples here:
https://vx-underground[.]org/tmp/Babuk7.1.2021.zip
* Samples may be from live campaign – proceed with caution
* Link modified to conform with Twitters ban on our domains pic.twitter.com/rz3Ni9bjUe— vx-underground (@vxunderground) July 1, 2021
“Compared to the original Babuk Ransomware operation that demanded hundreds of thousands, if not millions, of dollars to recover their files, this new threat actor is only asking for .006 bitcoins or approximately $210 from their victims.” reported BleepingComputer.
“The new threat actors also misspelled Babuk by adding a ‘C’ to ‘Babuck Locker’ in the ransom note.”
Unlike previous attacks, in new attacks, the ransomware operators are using email(babukransom@tutanota.com) to communicate with victims.
(SecurityAffairs – hacking, Babuk Locker)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
The recently leaked Babuk Locker ransomware builder was used by a threat actor in an ongoing campaign targeting victims worldwide.
At the end of June, The Record first reported that the builder for the Babuk Locker ransomware was leaked online allowing threat actors to use it to create their own version of the popular ransomware.
The Babuk Locker operators halted their operations at the end of April after the attack against the Washington, DC police department. Experts believe that the decision of the group to leave the ransomware practice could be the result of an operational error, it was a bad idea to threaten the US police department due to the information that it manages.
The ransomware gang broke into the Washington, D.C., Metropolitan Police Department, encrypted its files and demanded a $4 million ransom.
At the end of May, the Babuk ransomware operators rebranded their ransomware leak site into Payload.bin and started offering the opportunity to other gangs to use it to leak data stolen from their victims.
The Record experts this week obtained and analyzed a copy of the builder and confirmed that it allows creating custom versions of the Babuk Locker ransomware that works for Windows systems, ARM-based network storage attached (NAS) devices, and VMWare ESXi servers.
“According to a copy of the leak, obtained and tested by The Record, the Babuk Locker “builder” can be used to create custom versions of the Babuk Locker ransomware that can be used to encrypt files hosted on Windows systems, ARM-based network storage attached (NAS) devices, and VMWare ESXi servers.” reported The Record. “At the time of writing, it is unclear if the Babuk gang tried to sell their ransomware builder to a third party in a transaction that went bad, or if the builder was leaked by a rival or a white-hat security researcher.”
The available builder also generates decrypters that could be used by victims to recover the encrypted files.
The builder was uploaded on the VirusTotal malware scanning service and was discovered by the popular cybersecurity expert Kevin Beaumont.
Ransomware leak time – Babuk's builder. Used for making Babuk payloads and decryption.
builder.exe foldername, e.g. builder.exe victim will spit out payloads for:
Windows, VMware ESXi, network attached storage x86 and ARM.
note.txt must contain ransom.https://t.co/K3J3zr1XBv pic.twitter.com/1bl7oc0TvO
— Kevin Beaumont (@GossiTheDog) June 27, 2021
The builder allows customizing ransomware encryptors and decryptors and the ransom note.
BleepingComputer tested the builder and confirmed that the ransomware could target Windows, VMware ESXi, Network Attached Storage (NAS) x86, and NAS ARM devices.
Source: BleepingComputer.com
Soon after the builder was leaked online, a threat actor began using it to launch a very active ransomware campaign.
Now BleepingComputer reported the use of the builder in a fresh attack, this week a victim reported on Reddit that they were hit by the ‘Babuk Locker.’
MalwareHunterTeam researchers reported multiple Babuk Locker submissions from organizations worldwide starting on June 29th.
Finally confirmed for sure that Babuck ransomware is really Babuk with a different note.
Sample: c94a81fdf688d220827320e88cc0b89af8690142abe5c602131b6659297c7d24
From (opendir): https://etherbonus[.]net/crypto.exe@demonslay335 pic.twitter.com/2rvpo3zRNo— MalwareHunterTeam (@malwrhunterteam) July 1, 2021
Other researchers confirmed the ongoing campaign.
We've aggregated fresh Babuk samples courtesy of @malwrhunterteam. You can download the Babuk samples here:
https://vx-underground[.]org/tmp/Babuk7.1.2021.zip
* Samples may be from live campaign – proceed with caution
* Link modified to conform with Twitters ban on our domains pic.twitter.com/rz3Ni9bjUe— vx-underground (@vxunderground) July 1, 2021
“Compared to the original Babuk Ransomware operation that demanded hundreds of thousands, if not millions, of dollars to recover their files, this new threat actor is only asking for .006 bitcoins or approximately $210 from their victims.” reported BleepingComputer.
“The new threat actors also misspelled Babuk by adding a ‘C’ to ‘Babuck Locker’ in the ransom note.”
Unlike previous attacks, in new attacks, the ransomware operators are using email(babukransom@tutanota.com) to communicate with victims.
(SecurityAffairs – hacking, Babuk Locker)