Babuk Locker – The First Ransomware of 2021

It’s a new year and with it comes a new ransomware called Babuk Locker that targets corporate victims in human-made attacks. Babuk Locker is a new ransomware operation launched in early 2021 and has since accumulated a small list of victims from around the world.

It falls within what we know as RaaS (Ransomware-as-a-Service), where different actors participate in the creation of the code and its subsequent distribution. Attackers will usually ask for ransom, but they will also threaten to publish the content. Each Babuk Locker executable analyzed by BleepingComputer has been customized by victim to contain an encoded extension, ransom note, and Tor victim URL. According to security researcher Chuong Dong, who also analyzed the new ransomware, the encryption for this threat is amateurish, but includes strong encryption that prevents victims from recovering their files for free.

This, despite the fact that this threat is new, has already had a great impact: in just a few months, it persecuted at least five large companies such as: health care services, banking and financial institutions, hosting and transportation, managing to obtain $ 85,000 after one of his victims would come to the rescue. We don’t know which company paid, but we do know of a public confirmation from a target company: Serco, an outsourcing company, confirmed that it had been targeted with a double-extortion ransomware attack in late January. That’s an attack in which ransomware operators not only lock files, but also steal data and threaten to leak it if the ransom is not paid.

Babuk uses its own encryption scheme. It uses ChaCha8, a variant of Salsa20, stream encryption used for example in the REvil malware (Sodinokibi), as well as elliptic curve cryptography (ECDH). During encryption it will launch multiple threads to encrypt the disks, varying the load of the threads according to the size of the disk.

Also check:
REvil is a dangerous ransomware
Egregor is a ransomware that has been very active

---