CyberSeChronicles - Sogeti Germany

June 19, 2023

In contrast with previously observed ransomware threat actors, Babuk’ operators advertise in English on more visible hacking forums. This new ransomware also lacks « kill-switches » that is a common feature usually tailored by the top-tier ransomware ecosystem when detecting languages of the Commonwealth of Independent States (CIS) set as default.

Another peculiar trait of Babuk’ operators was a message posted on their DLS (dedicated leak site) claiming that organisations or NGOs will not be attacked except those who support LGBT or Black Lives Matter (BLM). Such conservative political statements are uncommon for ransomware operators but could be consistent for a hacktivist group of Muslim faith as substantiated by several elements described in our analysis from ‘social media intelligence’-oriented research.

Beyond already reported operational security measures errors in the Babuk codebase pinpointed by researchers, to which Babuk’ operators are very attentive to, we also found misconfigurations of their first version of DLS. From the former observation and thanks to the support of our internal Purple Team, we could elaborate a vaccine in a credible simulated enterprise environment that demonstrated the prevention of files encryption operated by recent variants of Babuk ransomware.

Feedback from Raj Samani, ‘Chief Innovation Officer’ at MacAfee from whom the intelligence about the Babuk threat has been also pioneering. He also advises the European Center Europol.

Downloads

Download report

1 PDF (3 MB)