{"id":124754,"date":"2021-07-28T21:01:36","date_gmt":"2021-07-29T04:01:36","guid":{"rendered":"\/blogs\/?p=124754"},"modified":"2024-02-15T03:41:45","modified_gmt":"2024-02-15T11:41:45","slug":"babuk-biting-off-more-than-they-could-chew-by-aiming-to-encrypt-vm-and-nix-systems","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/babuk-biting-off-more-than-they-could-chew-by-aiming-to-encrypt-vm-and-nix-systems\/","title":{"rendered":"Babuk: Biting off More than they Could Chew by Aiming to Encrypt VM and *nix Systems?"},"content":{"rendered":"

Co-written with Northwave<\/a>\u2019s No\u00ebl Keijzer.<\/p>\n

Executive Summary<\/h2>\n

For a long time, ransomware gangs were mostly focused on Microsoft Windows operating systems. Yes, we observed the occasional dedicated Unix or Linux based ransomware, but cross-platform ransomware was not happening yet. However, cybercriminals never sleep and in recent months we noticed that several ransomware gangs were experimenting with writing their binaries in the cross-platform language Golang (Go).<\/p>\n

Our worst fears were confirmed when Babuk announced on an underground forum that it was developing a cross-platform binary aimed at Linux\/UNIX and ESXi or VMware systems. Many core backend systems in companies are running on these *nix operating systems or, in the case of virtualization, think about the ESXi hosting several servers or the virtual desktop environment.<\/p>\n

We touched upon this briefly in our previous blog<\/a>, together with the many coding mistakes the Babuk team is making.<\/p>\n

Even though Babuk is relatively new to the scene, its affiliates have been aggressively infecting high-profile victims, despite numerous problems with the binary which led to a situation in which files could not be retrieved, even if payment was made.<\/p>\n

Ultimately, the difficulties faced by the Babuk developers in creating ESXi ransomware may have led to a change in business model, from encryption to data theft and extortion.<\/p>\n

Indeed, the design and coding of the decryption tool are poorly developed, meaning if companies decide to pay the ransom, the decoding process for encrypted files can be really slow and there is no guarantee that all files will be recoverable.<\/p>\n

Coverage and Protection Advice<\/h2>\n

McAfee\u2019s EPP solution covers\u00a0Babuk<\/strong>\u00a0ransomware with an array of prevention and detection techniques.<\/p>\n

McAfee ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections. For DAT based detections, the family will be reported as\u00a0Ransom-Babuk<\/strong>!<\/em>. ENS ATP adds 2 additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.<\/p>\n

Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.<\/p>\n

Initially, in our research the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind\u00a0Babuk<\/strong>\u00a0remained unclear.<\/p>\n

However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where\u00a0Babuk<\/strong>\u00a0posts, defenders can expect similar TTPs with\u00a0Babuk<\/strong>\u00a0as with other Ransomware-as-a-Service families.<\/p>\n

In its recruitment posting\u00a0Babuk<\/strong>\u00a0specifically asks for individuals with pentest skills, so defenders should be on the lookout for traces and behaviors that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant. Also be on the lookout for abnormal behavior of non-malicious tools that have a dual use, such as those that can be used for things like enumeration and execution, (e.g., ADfind, PSExec, PowerShell, etc.) We advise everyone to read our blogs on evidence indicators for a targeted ransomware attack (Part1<\/a>,\u00a0Part2<\/a>).<\/p>\n

Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common amongst ransomware criminals:<\/p>\n