Babuk Locker Ransomware: An Enterprise Ransomware Targeting Large Corporations with Double-Extortion Tactics
Babuk Locker Ransomware is a highly sophisticated malware strain that has geared its attacks mainly against large corporate and government networks but can affect individual users as well. Victims who get their systems infected with Babuk Locker Ransomware have their files encrypted with a potent combination of SHA256 hashing and ChaCha8 encryption coupled with ECDH key generation and algorithm. In layman’s terms, this means that hackers responsible for the ransomware are the only individuals who hold the necessary decryption keys and tools to restore your locked files.
Babuk Locker Ransomware abuses the Windows Restart Manager to stop any processes that might interfere with its operations. This includes instances where a specific file may be opened in a particular program and thus unable to be encrypted. Some of the top targets of Babuk Locker Ransomware include notepad.exe, sql.exe, outlook.exe, firefox.exe, dbsnmp.exe, ocssd.exe, isqlplussvc.exe, excel.exe.
This ransomware might also delete the VSS (Volume Shadow Copy) default backups that Windows creates. It may also attempt to cause the maximum amount of damage possible by seeking out and encrypting any remote drives that are connected to the infected system. Your private information may also be exfiltrated to the servers of the hackers, as this very scenario is mentioned in Babuk Locker Ransomware’s ransom note which reads in part:
Hello! What happend? Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us – a universal decoder. This program will restore your entire network. Follow our instructions below and you will recover all your data. If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web. What guarantees? We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests. All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems. We guarantee to decrypt one file for free. Go to the site and contact us. DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.
According to researchers, directories related to the installed applications, operating system, core files and browsers have been excluded from the encryption process. These include:
$Recycle.Bin, All Users, Google, Internet Explorer, Mozilla, Mozilla Firefox, Opera, Opera Software, ProgramData, Program Files (x86), Program Files, Tor Browser, Windows, Windows.old, autorun.inf, boot.ini, bootfont.bin, bootmgfw.efi, bootmgr, bootmgr.efi, bootsect.bak, desktop.ini, iconcache.db, ntldr, ntuser.dat, ntuser.dat.log, ntuser.ini, thumbs.db
Babuk Locker Ransomware uses the double-extortion model. This means that they encrypt the data, exfiltrate it, and threaten to expose it if a ransom is not paid. Reports have also indicated that the hackers may first attempt to determine if the contact with the victim is being carried out by a ‘recovery company,’ and whether the victim has ransomware insurance, most likely in an effort to potentially extort a higher ransom payment. The ransom demands have varied between $60,000 and $85,000 paid in Bitcoin. Failure to contact the hackers or pay ransom demands will likely lead to the victim having their information leaked on the threat actor’s leak site to shame the victim into compliance.