On April 2021, one of the most known Ransomware Gang called Babuk, decided to change the way they ask for ransom: no more double extortion, no more file encryption but just data exfiltration and a later announcement in case of no deal with the victim. It’s a nice move forward for a Ransomware Gang that, as far as I know, followed the Maze Group double extortion paradigm since 2019. This is what reported on BleepingComputer (HERE) on April.

“Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement” – Babuk ransomware

Babuk Ransomware Gang

At the end of April, Babuk gang decided to definitely close their malicious operations making their Babuk Ransomware opensource, but so far no code was shared to the community.

Many Babuk ransomware where disclosed and analyzed during the following weeks, but when I saw this (reference follows) sample called “builder” with static signatures that reminded me the Babuk Ransomware, I decided to take a closer look checking if it definitely was the Babuk builder.

Builder Analysis

So, let’s take a closer look to this sample called builder matching signature from Babuk Ransomware. Sha256: 4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af , from the time of the analysis, the sample is recognized as malicious from 8 (over 68) AV vendors. I believe it is a nice starting point to investigate our building chain ;).

BabukRansomwareBuilder on VT
Given Namebuilder.bin
SHA2564fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af
TechnologyMicrosoft C/C++
BehaviorRansomware Builder

The sample appears to be not packed. It means that on building chain the attacker need to use an external packer. It might underline a non sophisticated developer chain, in other words, the developer may have no expertise building packers or he/she decided to use external obfuscators/packers during the delivery phase of the derivated artifacts. The builder is a CLI utility asking for a folder. Once you give a folder name it firstly check if the folder exists, and if it doesn’t, the sample creates it. It later builds up the pair keys by using elliptic curve algorithm with a randomly generated 256 key size.

Private and Public Elliptic Curve Keys
Random Key Generation For Elliptic Curve 32×8 (256) Key

After the key generation phase the builder saves such a keys inside the given folder in two separated files : kp.curve25519 and ks.curve25519 which are public and secret parameters for the Montgomery curve. The builder then checks for components in the current folder in order to build the output samples. The needed components are:

  • note.txt: a simple text file wrapping ransom note.
  • e_esxi.out,e_nas_x86.out,e_nas_arm.out,e_win.bin: specific encryption payloads for different targets (ESXI, NAS and Windows Machines)
  • d_esxi.out,d_nas_x86.out,d_nas_arm.out,d_win.bin: specific decryption payloads for different targets (ESXI, NAS and Windows Machines)

The following image shows the main builder function in where it looks for external files (representing payloads) and saves them on local hard drive ready to be implemented into the victims system.

Babuk main building function

The ransomware generation is a simple process. It firstly takes the external payload and it later starts a lstrcp (which is dynamically loaded) to copy the exernal payload to files, implementing the final ransomware. The following image shows the main saving function.

Main Saving Function

The following images show the variables wrapping out the file name (on the left) and the result of the “stringCopy” function (on the right) before saving them to the hard drive.

Once the building function terminates its run the user (actually the attacker) finds the given folder full of ransomware ready to be deployed to victims. The following image shows the built ransomware which happens to be ready to be spread on Windows system, Linux systems on ESX and specific NAS within ARM core.

Final Built Folder

Conclusion

Babuk Builder looks like to be a quite simple piece of code. But even if it’s a simple code it holds some interesting characteristics which could be helpful to compare to future builders. For example the loading sections and the way the builder uses the lstrcp function to copy the loaded payloads. The main building loop and the used algorithm to generate key-pairs.

NameSha256
d_esxi.outa7a832dd999f4d147087231731ac040be03a26859cfc03f948b092b5a8c259d6
d_nas_arm.outfa2b76dde88f2306b280586b5cf40671f4f08b83e9e095f7d52608e6ed1dd7bf
d_nas_x86.out45b26897e7d81f2e1905cbb3d227a94bc7991f14a4a24f4aa4752083602be41e
d_win.exe0221b06e7aa462206039db6366bee9b31838d736dff9145ee54811e2abee7128
e_esxi.out1afd6bbf62fa0906da0fc4ebd55bf7339aeb3d8beb539df9be4d016efabf3a12
e_nas_arm.out1a3b213f0303ff5f676df39217abae197f8af689de4c884cd0acc96aedb1a328
e_nas_x86.outaf2727be8ff8eb40b4e6eb0ba3c3d0594e4e902e698875a0ef4e3a4ef06f2a86
e_win.exe3d554fe3ed824df5bb625bcff4ddde834866164088358ddabc4e5aec8a6562b0
Babuk Builder IoC