On April 2021, one of the most known Ransomware Gang called Babuk, decided to change the way they ask for ransom: no more double extortion, no more file encryption but just data exfiltration and a later announcement in case of no deal with the victim. It’s a nice move forward for a Ransomware Gang that, as far as I know, followed the Maze Group double extortion paradigm since 2019. This is what reported on BleepingComputer (HERE) on April.
“Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement” – Babuk ransomware
Babuk Ransomware Gang
At the end of April, Babuk gang decided to definitely close their malicious operations making their Babuk Ransomware opensource, but so far no code was shared to the community.
Many Babuk ransomware where disclosed and analyzed during the following weeks, but when I saw this (reference follows) sample called “builder” with static signatures that reminded me the Babuk Ransomware, I decided to take a closer look checking if it definitely was the Babuk builder.
Builder Analysis
So, let’s take a closer look to this sample called builder matching signature from Babuk Ransomware. Sha256: 4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af , from the time of the analysis, the sample is recognized as malicious from 8 (over 68) AV vendors. I believe it is a nice starting point to investigate our building chain ;).
| Given Name | builder.bin |
| SHA256 | 4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af |
| Technology | Microsoft C/C++ |
| Behavior | Ransomware Builder |
The sample appears to be not packed. It means that on building chain the attacker need to use an external packer. It might underline a non sophisticated developer chain, in other words, the developer may have no expertise building packers or he/she decided to use external obfuscators/packers during the delivery phase of the derivated artifacts. The builder is a CLI utility asking for a folder. Once you give a folder name it firstly check if the folder exists, and if it doesn’t, the sample creates it. It later builds up the pair keys by using elliptic curve algorithm with a randomly generated 256 key size.
After the key generation phase the builder saves such a keys inside the given folder in two separated files : kp.curve25519 and ks.curve25519 which are public and secret parameters for the Montgomery curve. The builder then checks for components in the current folder in order to build the output samples. The needed components are:
note.txt: a simple text file wrapping ransom note.e_esxi.out,e_nas_x86.out,e_nas_arm.out,e_win.bin: specific encryption payloads for different targets (ESXI, NAS and Windows Machines)d_esxi.out,d_nas_x86.out,d_nas_arm.out,d_win.bin: specific decryption payloads for different targets (ESXI, NAS and Windows Machines)
The following image shows the main builder function in where it looks for external files (representing payloads) and saves them on local hard drive ready to be implemented into the victims system.
The ransomware generation is a simple process. It firstly takes the external payload and it later starts a lstrcp (which is dynamically loaded) to copy the exernal payload to files, implementing the final ransomware. The following image shows the main saving function.
The following images show the variables wrapping out the file name (on the left) and the result of the “stringCopy” function (on the right) before saving them to the hard drive.
Once the building function terminates its run the user (actually the attacker) finds the given folder full of ransomware ready to be deployed to victims. The following image shows the built ransomware which happens to be ready to be spread on Windows system, Linux systems on ESX and specific NAS within ARM core.
Conclusion
Babuk Builder looks like to be a quite simple piece of code. But even if it’s a simple code it holds some interesting characteristics which could be helpful to compare to future builders. For example the loading sections and the way the builder uses the lstrcp function to copy the loaded payloads. The main building loop and the used algorithm to generate key-pairs.
| Name | Sha256 |
| d_esxi.out | a7a832dd999f4d147087231731ac040be03a26859cfc03f948b092b5a8c259d6 |
| d_nas_arm.out | fa2b76dde88f2306b280586b5cf40671f4f08b83e9e095f7d52608e6ed1dd7bf |
| d_nas_x86.out | 45b26897e7d81f2e1905cbb3d227a94bc7991f14a4a24f4aa4752083602be41e |
| d_win.exe | 0221b06e7aa462206039db6366bee9b31838d736dff9145ee54811e2abee7128 |
| e_esxi.out | 1afd6bbf62fa0906da0fc4ebd55bf7339aeb3d8beb539df9be4d016efabf3a12 |
| e_nas_arm.out | 1a3b213f0303ff5f676df39217abae197f8af689de4c884cd0acc96aedb1a328 |
| e_nas_x86.out | af2727be8ff8eb40b4e6eb0ba3c3d0594e4e902e698875a0ef4e3a4ef06f2a86 |
| e_win.exe | 3d554fe3ed824df5bb625bcff4ddde834866164088358ddabc4e5aec8a6562b0 |
