The Babuk ransomware gang’s source code has been uploaded to VirusTotal, making it available to all security vendors & competitors. It is unclear however just how that happened.
The gang’s source code is now available to rivals & security researchers alike – & a decryptor likely is too not far behind.
According to a Wed. posting from Malwarebytes, the operators of the ransomware – perhaps best-known for hitting the Washington D.C. police force in April – had told its underground forum audience that it was getting out of the encryption business. The criminals instead promised to move to a steal, leak & shame approach focused on data theft & extortion.
According to Malwarebytes, the group announced:
“Babuk changes direction, we no longer encrypt information on networks, we will get to you & take your data, we will notify you about it if you do not get in touch we make an announcement,” read the hacker-forum post. Separately, it wrote,
“The Babuk project will be closed, its source code will be made publicly available, we will do something like open-source RaaS, everyone can make their own product based on our product.”
After the D.C. incident, it could be that the gang was feeling the heat from law enforcement – several ransomware crews, including the Darkside group responsible for the Colonial pipeline attack, have cited increased & unwelcome scrutiny from international law enforcement as a reason to alter their target choices & crimeware approaches.
The announcement was met with scepticism from the security community, & indeed, operations did not seem to cease. Babuk did, however, rebrand its leak site as “Payload.bin,” taking its own name out of it.
A Bit Fickle
“It needs to be said that the Babuk operators were always a bit fickle in their communications. One moment they would announce something, only to delete it shortly after & issue a new statement,” according to Malwarebytes’ posting. “As our esteemed colleague Adam Kujawa, Director of Malwarebytes Labs said when Maze announced its retirement, ‘ransom actors are professional liars & scammers; to believe anything they say is a mistake.’”
Now, 2 months later, the Babuk builder used to create the ransomware’s unique payloads & decryption modules has been made public, researchers commented. It is puzzling why.
Stumbled Upon It
“It has been a while since malware authors were dunce enough to upload their work to [VirusTotal] VT to check whether it would be detected by the anti-malware industry or not,” according to Malwarebytes.
“The vendors that co-operate on VT have access to any files uploaded there. So, if their freshly created malware were not detected immediately, it would be soon after. Since those days, malware authors have their own services to run these checks without sharing their work with the anti-malware vendors…By uploading the builder to VirusTotal they were basically making the source code available.”
Independent researcher Kevin Beaumont said he “stumbled upon it” in VT while looking at a sandbox.
He also explained that the code “spits out” decryptors for certain versions of the malware. Malwarebytes meanwhile shared that it is working to understand if the builder contains enough information to create a Babuk decryptor.
The precise code is for building malware that targets Windows systems, VMWare ESXi servers, & ARM-based network-attached storage (NAS) devices, according to a separate report from Bleeping Computer. Meanwhile, new Babuk attacks are launching using the leaked information, the outlet revealed, with the criminals asking for just .06 Bitcoin per attack – about $210.
Leaked Babuk Source Code
Unfortunately, the upload of the Babuk ransomware compiler is likely to be made use of by financially motivated threat players, quickly — according to Cymulate CTO Avihai Ben-Yossef. In fact, he mentioned, it has already started happening.
“Easily downloading the Babuk ransomware compiler from the VirusTotal repository and creating their own custom ransomware note, these new attackers have generated their own ransomware campaigns easily,” he stated. “All of this is done without any pain of having to produce it themselves.”
He warned to expect a large outbreak of copycat Babuk ransomware campaigns by a wider variety of players — as well as additional Babuk strains that will be modified to evade detection.
“Looking at past ransomware targets, targeted by copycats and affiliates, they tend to have less fear of going after more sensitive targets like critical infrastructure,” he said. “Whereas the main financially motivated actors (FINs) avoid these for fear of criminal prosecution or reprisals that drain their Bitcoin wallets & take down their ransomware infrastructure like we saw with the Colonial Pipeline attack.”
He added, “We also predict that the original Babuk team who are highly skilled will lay low for a bit and return with a new or dramatically re-engineered ransomware compiler, infrastructure, etc.”
Inspect the Cyber Environment
To avoid becoming a victim, enterprises should inspect the cyber environment for susceptibility to ransomware and educate users about spear-phishing campaigns, so they learn what not to click on, Ben-Yossef said.
He added, “Practice your incident-response plans. Shore up the basics: Have better patch management, segmentation, password discipline, multifactor authentication, certificate management and backup procedures in place.”
Why Upload the Babuk Builder to VirusTotal?
The agents behind the VT upload of Babuk are not clear. There are a few potential scenarios, though.
It could be rival ransomware gangs looking to basically stop the Babuk & get them out of the way. That is a possibility that researchers explained would make sense only if competitors felt very strongly about Babuk keeping its promise to get out of ransomware operations.
Another theory is that a random person came across the file & was curious as to whether it was malicious. However, as researchers noted, “it is very unlikely that someone would get this file without knowing what it is.”
2 Other Options
2 other options – both unlikely, according to the analysis – are that:-
1) a Babuk affiliate wanted to check if the code is detectable by antivirus; or
2) this is the roundabout way that Babuk decided to make its code open source.
In both situations, it is more likely that the holder of the file would use the regular cybercrime network channels for such activities, according to the firm.
“They would use a service that does not share it with anti-malware vendors,” for the former option, researchers observed & as for the later hypothetical, “they would cMrtainly have made this known through their usual channels if this was the plan.”
It remains a mystery – for now.
“Maybe we have missed the scenario that describes what really happened,” Malwarebytes researchers noted.
“Another fact that may be of consequence, somehow, is that researchers found several defects in Babul’s encryption and decryption code. These flaws show up when an attack involves ESXi servers & they are severe enough to result in a total loss of data for the victim.”