​Deep Dive into Builder of Notorious Babuk Ransomware

In January 2021, a new ransomware called “Babuk” came to light after impacting at least five big enterprises. The ransomware has targeted many well-known organizations across several industry sectors such as Manufacturing, Transportation, Construction and Materials, and Law Firms, among others. Our research indicates that the Babuk ransomware group was highly active in May 2021 and performed at least 42 attacks, as shown in the figure below. 

Babuk Ransomware Cyber Attacks by Regions

Figure 1 – Countries affected by the ransomware 

The top 5 countries affected by the Babuk ransomware are the U.S, Canada, Spain, France, and Germany. The image below showcases the distribution of the top 10 industries targeted by Babuk. 

Babuk Ransomware Attacks by Industry

Figure 2 – Industry-wise split of victims 

During our routine Open-source Intelligence (OSINT) research, Cyble researchers came across a leaked builder binary of the Babuk ransomware builder, which was initially brought to light in a post on Twitter 

Upon extraction of the .zip file, we were presented with the following binaries. 

Figure 3- Binaries extracted from the zip file 

We launched the “builder.exe [FolderName]” command to generate the Babuk encryptor/decryptor binaries in the [FolderName]. 

Figure 4 -Binaries generated by builder.exe 

Below are the details of each file: 

Sr.No Pre-Build Binaries Post-Build Binaries Description 
d_esxi.out d_esxi.out Decryptor for ESXI 
d_nas_arm.out d_nas_arm.out Decryptor for NAS ARM 
d_nas_x86.out d_nas_x86.out Decryptor for NAS x86 
d_win.bin d_win.exe Decryptor for Windows 
e_esxi.out e_esxi.out Encryptor for ESXI 
e_nas_arm.out e_nas_arm.out Encryptor for NAS Arm 
e_nas_x86.out e_nas_x86.out Encryptor for NAS x86 
e_win.bin e_win.exe Encryptor for Windows 
note.txt NA Ransom Note 

Table 1 

  • Babuk Builder Analysis 

Execution Flow of Babuk Builder 

Figure 5 – Execution Flow of Babuk Builder 

We started with the static analysis of Babuk Builder and found that the application is a console-based x86 architecture application compiled on  
2021-03-16 10:03:10” developed using C/C++

Figure 6 – Static information of builder.exe 

During the code analysis, we found that the code/function showcased in the image below is a critical part of Babuk Builder. In the figure below, we can see that the “CryptGenRandom” API is used to generate the “random seed” (KS),  and the function “sub_4044F0” is called to generate the “Key” (KP). 

Figure 7 – Seed and Key value generator functions 

The codes shown in the figure below concatenates the folder name with the “Post-Build” binary name, and then the “Pre-build” binary name is passed to “sub_404790” and “sub_404650” functions. The “sub_404790” is used to create ransomware binaries, whereas the “sub_404650” function is used to create Decryptor binaries. 

Figure 8 – Functions for creating encryptor/ransomware and decryptor of different architecture. 

The code shown in the figure below is a part of the “sub_404650” function that has the task of hardcoding the “Ransom Note” and “Key” (KP). 

Figure 9 – Hardcoding Ransom note content and Key (KP) 

We can see the Ransom Note and “Key” (KP) in both the Figures below during the runtime (process execution) analysis. The first figure shows the “Key” (KP),  while the second figure shows the Ransom Note.

Figure 10 – Hardcoding Key(KP)

Figure 11 – Hard coding Ransom Note 

Once the ransomware/encryptor file has been generated, the builder proceeds to call the “sub_404650” function to generate the “decryptor” binaries. As seen in the image below, during the runtime (process execution) analysis, the below code hardcodes Key” (KS) in the “decryptor” binary and writes the final decryptor binary onto the disk. 

Figure 12 – Hardcoding Seed (KS) during runtime analysis 

Finally, the code shown in below figure is used to take input “Random” Seed File from the user and generate the “Key” (KP) from it. This is followed by the generation of the “Encryptor” & “Decryptor” binaries by calling the “sub_404790” and “sub_404650” functions. 

Figure 13 – Take seed value file as an input 

  • Babuk Encryptor Analysis 

Execution Flow of the Babuk Encryptor (Ransomware) 

Figure 14 – Execution Flow of Babuk Encryptor (Ransomware) 

We started with the analysis of Babuk Encryptor (Ransomware) and found that the application is a GUI based x86 architecture application compiled on  
2021-03-23 19:22:40” and developed using C/C++. 

Figure 15 – Basic static analysis details 

Upon execution of the encryptor/ransomware binary, the process tree showcased below was created. 

Figure 16 – Process tree after executing encryptor/ransomware 

Furthermore, we noticed that the binary is launching the vssadmin.exe process to delete all Shadow Copy using the command vssadmin.exe  delete shadows /all /quiet”, as shown in the figure below. 

Figure 17 – Using vssadmin.exe to delete all shadow copies. 

The figure shown below shows the infection activity of the ransomware. 

Figure 18 – infection activity of the encryptor/ransomware. 

Based on code analysis, we found four primary functions in the Babuk encryptor, as depicted in the image below.  

Figure 19 – Stopping VSS Service, closing list of process, Deleting Shadow copies and Cleaning recycle bin 

The four functions called by the encryptor are sub_404770()sub_4049B0(), sub_4046D0(), and SHEmptyRecycleBinA, and their objectives are showcased in the table below.  

Functions Intent 
sub_404770() Stopping the VSS Service 
sub_4049B0() Closing the list of processes that prevent file encryption. 
sub_4046D0() Deleting all shadow copies  
SHEmptyRecycleBinA Emptying the Recycle Bin 

Table 2 

The Encryptor binary fetches the details of the number of processors available on the victim system. 

Figure 20 – To retrieve the number of processors used in the victim system 

The encryptor then performs a loop to create the threads as per the available processors, and the “StartAddress” holds the function address which will perform the encryption task. 

Figure 21 – Creating threads for encrypting the files and creating ransom notes 

Once the function available at StartAddress is called, the function(StartAddress) calls the sub_412ED0 function to perform the creation of the “Ransom Note” and “File Encryption Action”. 

Figure 22 – Function to create ransom note and encrypt file logic 

Next, the function sub_412ED0 starts enumerating system folders and creates ransom notes in each folder. 

Figure 23 – Creating ransom notes 

As shown in the figure below, during run time (process execution) analysis, we can see that the “How to Restore Your Files.txt” has been created with content “text”. 

Figure 24 – Created ransom notes with content text 

The “sub_409740” function that is responsible for encrypting the targeted files is executed, and it has the following functionalities: 

Sr. No sub_409740 Intent 
Append .babyk extension on all files. 
Retrieve the “Key”(KP) 
Read the content of .babyk file 
Encrypt the Content of the .babyk file 
Write Encrypted content 
Append the encrypted content with signature 

Table 3 

The below code shows that the Encryptor is appending the extension .babyk to found file. 

Figure 25 – Appending the file extension with .babyk  

Upon successful renaming of the file, the Encryptor fetches the Key(KP) from its binary hardcoded .data section. 

Figure 26 – Fetch Key(KP) from .data section 

During the runtime (process execution) analysis, we can see that the encryptor fetches the Key(KP)

Figure 27 – Fetches the Key(KP) during runtime analysis. 

Once the “Key”(KP) has been fetched, the Encryptor reads the .babyk extension file, which at this stage, is stored as plain text (Content). 

Figure 28 – Read non-encrypted content from .babyk extension file 

Then, the Encyptor calls the function “sub_4101E0” to encrypt the content. 

Figure 29 – Function called to encrypt the non-encrypted content 

Then it writes the encrypted content in the file. 

Figure 30 – Write encrypted contents to the .babyk file. 

Later, it appends the signature “choung dong looks like hot dog!!” at end of the encrypted content of the same file. 

Figure 31 – Writes “choung dong looks like hot dog!!” signature at the end of the encrypted file. 

Encryptor also creates “mutex” with name “DoYouWantToHaveSexWithChuongDong” in the system. 

Figure 32 – Create mutex with name “DoYouWantToHaveSexWithChuongDong” 

  • Babuk Decryptor Analysis 

Execution Flow of Babuk Decryptor 

Figure 33 – Execution Flow of Babuk Decryptor 

Upon code analysis, we saw the code in the image below presenting a message box to the user with the content “Press ‘OK’ to start decryption process!” before it starts decrypting the document files.  

Once the User Clicks ‘OK’, the Decryptor will create a Mutex” “DoYouWantToHaveSexWithChuongDong”, to check that only one Decryptor Process is running at a time, as seen in the figure below. 

Figure 34 – Show “Start decryption process” message box to victim and create mutex 

Later, it deletes all items from the Recycle Bin by calling the “SHEmptyRecycleBinA”, as shown in the figure below. 

Figure 35 – Clean recycle bin 

As shown in the code below, the Decryptor fetches the number of processors available on the victim machine. 

Figure 36 – fetches the number of processors available on the victim system. 

Depending on the processors, the Decryptor creates threads to start the Decryption process. Here the StartAddress function holds the address of Decryptor Function. 

Figure 37 – Create threads for decryption of files 

In the StartAddress Function, another function is called “sub_406990”, whose task is to do the decryption process. 

Figure 38 – Actual decryption function called 

The function sub_406990 looks for the encrypted files with the. babyk extension, and then renames them by removing .babyk extension and takes the File “handle” for further operations, as shown in the below figure. 

Figure 39- remove the .babyk extension from encrypted file and open handle of encrypted file.  

This is followed by the Decryptor binary fetching the tail content from the encrypted file and matching it with the signature “choung dong looks like hot dog!!” and proceeds to remove it from the encrypted file. 

Figure 40 – Read signature “choung dong looks like hot dog!!” from encrypted and remove the signature

The figure below showcases the Decryptor fetching the “Key”(KS) during the runtime (process execution) analysis. 

Figure 41 – Seed(KS) value shown during the runtime analysis 

Once the Decryptor has the ‘Key’ (KS), it will read the Encrypted File, decrypt the content, and write the output back to the disk. 

Figure 42 – read the encrypted content, decrypt it and write back in the file. 

Later, the function sub_407050 is called, as show in the figure below. Its purpose is to delete the ransom Note “How to Restore Your Files.txt”. 

Figure 43 – function called to Find & Deletes “How to Restore Your Files.txt” ransom note 

The code shown below searches for files. If the “How to Restore Your Files.txt” is found, the it deletes using the “DeleteFileW” the file, as shown below. 

Figure 44 – function deleting ransom note once found 

Once the Decryption process is done, the user is presented with a message that says: “Your file decrypted, bye!”. 

Figure 45 – After decryption done, the final message box is shown to victim with message “Your file decrypted, bye!” 

Conclusion  

The release of the Babuk ransomware builder may increase the chances of future ransomware attacks. To serve malicious cybercriminal purposes, attackers may leverage these ransomware builder tools to target victims through various means such as social engineering campaigns and phishing attacks. 

Our Recommendations 

  • Use the shared IoCs to monitor and block the malware infection.   
  • Use strong passwords and enforce multi-factor authentication wherever possible.   
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.     
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.  
  • Conduct regular backup practices and keep those backups offline or in a separate network. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Execution     T1204 User Execution 
​Discovery    T1082 System Information Discovery 
Impact T1490 T1489 T1486 Inhibit System Recovery Service Stop Data Encrypted for Impact 

Indicators of Compromise (IoCs):   

Indicators Indicator type Description 
e8cee8eab4020e1aadd4631ed626ab54d8733f8b14d683ca943cd4e124eeef55 SHA-256 e_nas_arm.out 
2cd6d4a52dbaf9e79d93492ad73dc229e06d0cee9e3327cc3bef165fae06f918 SHA-256 d_nas_arm.out 
51fe57795105eb1e618d35bd99fcc096ee3687455cd4e330396c0d701bc3a6a1 SHA-256 d_nas_x86.out 
eb22f22fedb24ef3d06d2ba6ac9bc53528f8d1e489fefeac9501b926a0be6097 SHA-256 d_win.bin 
dc90560d7198bf824b65ba2cfbe403d84d38113f41a1aa2f37f8d827fd9e0ceb SHA-256 e_esxi.out 
e505b24de50b14aed35cf40725dc0185cab06fed90269d445ec7a4b36de124b6 SHA-256 e_nas_x86.out 
ea95f131bd9b49104d9e7ae83335254549ded9d71d557c6e4746740aecca2c85 SHA-256 e_win.bin 
4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af SHA-256 builder.exe 
930760c00de1b9a4bc2eefcd96173f1e9a906b11a9566c517fcb87a13acaa327 SHA-256  d_esxi.out 

Generic signatures and Rules: 

Yara Rules:  

rule Win32_Babuk_Ransomware

{

    meta:

    author= "Cyble Research"

    date= "2021-07-02"

    description= "Coverage for Babuk Ransomware files"

    strings:

                                $sig1 = "kp.curve25519" wide ascii

                                $sig2 = "ks.curve25519" wide ascii

                                $sig3 = "e_nas_x86.out" wide ascii

                                $sig4 = "DoYouWantToHaveSexWithCuongDong" wide ascii

                                $sig6 = "How To Restore Your Files.txt" wide ascii

                                $sig7 = ".babyk" wide ascii

                                $sig8 = "choung dong looks like hot dog!!" wide ascii

    condition:

                              2 of ($sig*)

}

About Cyble  

 Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com

Leave a Comment

Your email address will not be published.

%d bloggers like this: