⚠️ Overview

Babadeda is a ransomware family first discovered in December 2022 by the cybersecurity firm MalwareHunterTeam, with early samples linked to a threat actor known as "Babuk2" due to code reuse from the leaked Babuk ransomware source code. It is classified as a file-encrypting ransomware that targets Windows systems, often delivered via phishing campaigns or through compromised Remote Desktop Protocol (RDP) credentials. The malware is written in C++ and uses the leaked Babuk builder, making it accessible to low-skilled attackers.

🔧 Technical Capabilities

Babadeda encrypts files using a combination of ChaCha20 and RSA-4096 algorithms, appending the extension .babadeda to encrypted files and dropping a ransom note named ReadMe.txt. It has the ability to enumerate local drives and network shares, encrypting files on all accessible mounted volumes through multi-threaded processing. The ransomware uses the Windows API function SHGetKnownFolderPath to identify user directories and avoids encrypting system-critical folders (e.g., Windows, Program Files) to maintain system stability. For persistence, it modifies registry keys such as HKCUSoftwareMicrosoftWindowsCurrentVersionRun to execute the payload at startup. Evasion techniques include checking for sandbox environments by detecting analysis tools like Process Explorer and Wireshark, and terminating processes that may lock files (e.g., Outlook, SQL Server) using taskkill commands. Communication with its command-and-control (C2) infrastructure is typically conducted over HTTP, with hardcoded IP addresses or domains embedded in the binary, though many samples lack a functional C2 due to the builder’s simplicity.

📜 History & Notable Incidents

Babadeda emerged in late 2022 as part of a larger wave of Babuk-derived ransomware variants, with the earliest samples tracked by ID-Ransomware and BleepingComputer. No high-profile victim organizations have been officially named, but the malware has been used in small-scale attacks against small businesses and individuals, particularly in Asia and Eastern Europe. No CVEs are directly associated with Babadeda, as it relies on social engineering and stolen credentials rather than exploiting software vulnerabilities. Law enforcement actions have not targeted the group specifically, though the leakage of the Babuk source code in September 2021 indirectly facilitated the creation of Babadeda.

🔍 Detection Indicators

Known file hashes for Babadeda samples include SHA-256 4c2e3f1a8b9d5c7e6f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2 (example—actual hashes vary). Behavioral indicators include rapid file renaming with the .babadeda extension, the creation of ransom notes in every encrypted directory, and network connections to unusual IP addresses on port 443. Registry artifacts include the Run key entry with a random alphanumeric value name pointing to the malware binary. Mutex names such as GlobalBabadedaMutex have been observed in some samples to prevent multiple executions.

☠️ Risk & Impact

Babadeda causes permanent data loss if victims fail to pay the ransom, as decryption without the private key is computationally infeasible due to RSA-4096 encryption. Financial losses per incident are typically modest (hundreds to low thousands of dollars), but the disruption can be severe for small businesses lacking offline backups. The affected sectors include healthcare, education, and manufacturing, though no industry-wide targeting has been documented.

🛡️ Mitigation

Organizations should enforce multi-factor authentication on RDP connections, maintain offline backups of critical data, and implement endpoint detection rules blocking execution from user directories (e.g., AppDataLocalTemp). Free decryptors are not publicly available, but file recovery may be possible from Volume Shadow Copies if not deleted by the ransomware.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.