Skip to content

S0638 Babuk

Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a “Big Game Hunting” approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.123

Item Value
ID S0638
Associated Names Babyk, Vasa Locker
Version 1.0
Created 11 August 2021
Last Modified 13 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Babyk 124
Vasa Locker 12

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Babuk has the ability to use the command line to control execution on compromised hosts.12
enterprise T1486 Data Encrypted for Impact Babuk can use ChaCha8 and ECDH to encrypt data.1254
enterprise T1140 Deobfuscate/Decode Files or Information Babuk has the ability to unpack itself into memory using XOR.15
enterprise T1083 File and Directory Discovery Babuk has the ability to enumerate files on a targeted system.24
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Babuk can stop anti-virus services on a compromised host.1
enterprise T1490 Inhibit System Recovery Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet.12
enterprise T1106 Native API Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.125
enterprise T1135 Network Share Discovery Babuk has the ability to enumerate network shares.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Versions of Babuk have been packed.125
enterprise T1057 Process Discovery Babuk has the ability to check running processes on a targeted system.124
enterprise T1489 Service Stop Babuk can stop specific services related to backups.124
enterprise T1082 System Information Discovery Babuk can enumerate disk volumes, get disk information, and query service status.2
enterprise T1049 System Network Connections Discovery Babuk can use “WNetOpenEnumW” and “WNetEnumResourceW” to enumerate files in network resources for encryption.2
enterprise T1007 System Service Discovery Babuk can enumerate all services running on a compromised host.2