S0638 Babuk
Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of Babuk employ a “Big Game Hunting” approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.123
| Item | Value |
|---|---|
| ID | S0638 |
| Associated Names | Babyk, Vasa Locker |
| Type | MALWARE |
| Version | 1.0 |
| Created | 11 August 2021 |
| Last Modified | 13 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Babyk | 124 |
| Vasa Locker | 12 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Babuk has the ability to use the command line to control execution on compromised hosts.12 |
| enterprise | T1486 | Data Encrypted for Impact | Babuk can use ChaCha8 and ECDH to encrypt data.1254 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Babuk has the ability to unpack itself into memory using XOR.15 |
| enterprise | T1083 | File and Directory Discovery | Babuk has the ability to enumerate files on a targeted system.24 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Babuk can stop anti-virus services on a compromised host.1 |
| enterprise | T1490 | Inhibit System Recovery | Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet.12 |
| enterprise | T1106 | Native API | Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.125 |
| enterprise | T1135 | Network Share Discovery | Babuk has the ability to enumerate network shares.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Versions of Babuk have been packed.125 |
| enterprise | T1057 | Process Discovery | Babuk has the ability to check running processes on a targeted system.124 |
| enterprise | T1489 | Service Stop | Babuk can stop specific services related to backups.124 |
| enterprise | T1082 | System Information Discovery | Babuk can enumerate disk volumes, get disk information, and query service status.2 |
| enterprise | T1049 | System Network Connections Discovery | Babuk can use “WNetOpenEnumW” and “WNetEnumResourceW” to enumerate files in network resources for encryption.2 |
| enterprise | T1007 | System Service Discovery | Babuk can enumerate all services running on a compromised host.2 |
References
-
Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Lyngaas, S. (2021, February 4). Meet Babuk, a ransomware attacker blamed for the Serco breach. Retrieved August 11, 2021. ↩
-
Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021. ↩↩↩↩↩
-
Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021. ↩↩↩↩