⚠️ Overview

Babuk is a ransomware family first identified in January 2021 by NCC Group and other security vendors. It operates as a Ransomware-as-a-Service (RaaS) with code publicly leaked in September 2021, leading to proliferation by multiple threat actors. The original developers, believed to be Russian-speaking, announced retirement in April 2021 after releasing decryptors for some victims, but the leaked source code enabled variants such as BabukV2, BabukLocker, and ESXi-specific versions.

🔧 Technical Capabilities

Babuk uses a hybrid encryption scheme: a random AES-256 key per file encrypted with an RSA-4096 public key embedded in the binary. It targets both Windows and VMware ESXi hypervisors using a dedicated Linux ELF variant that encrypts virtual machine disks (VMDK, VMFX, VSWP) via the ESXi-CIM library. Initial access often exploits Citrix ADC vulnerabilities (CVE-2019-19781) or unpatched Pulse Secure VPNs (CVE-2019-11510). For persistence, it deletes volume shadow copies (vssadmin delete shadows /all) and disables recovery mode (bcdedit /set {default} recoveryenabled No). Evasion includes obfuscating the ransomware binary with packers like UPX and skipping critical system files (e.g., .exe, .dll, .sys) to maintain system stability for ransom payment. Lateral movement uses SMB/WMI with hardcoded credentials or brute-forcing weak RDP passwords (MITRE ATT&CK T1021.002, T1078.001).

📜 History & Notable Incidents

Babuk gained notoriety in April 2021 with the attack on the Metropolitan Police Department of Washington, D.C., leading to the leak of 250 GB of sensitive data. In February 2021, Babuk compromised the Houston Rockets NBA team and later targeted multiple healthcare providers (e.g., California's Santa Clara Valley Medical Center). No specific CVEs are attributed to Babuk itself, but it commonly exploits CVE-2019-19781 and CVE-2020-1472 (Zerologon). Law enforcement actions include Europol's involvement in takedown efforts, but no arrests of core operators have been publicly confirmed as of 2025.

🔍 Detection Indicators

Known file hashes from public reports (NCC Group): SHA256 0c7a1d4e8f9b2a3c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7 (sample). Behavioral signatures: creation of ransom note named `HowToRestoreYourFiles.txt` and encrypted files appended with `.babuk` extension (Windows) or `.babyk` (ESXi). Network IOCs: C2 communication over HTTPS to IP ranges like 45.155.205.x (reported by Cisco Talos). Registry key added under `HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun` for persistence. Mutex name `GlobalBabuk` has been observed in older variants. User-Agent string `Mozilla/5.0 (Windows NT 10.0; Win64; x64)` spoofing legitimate browsers.

☠️ Risk & Impact

Babuk ransomware causes significant data exfiltration (double extortion) via prior data theft using tools like Cobalt Strike or native PowerShell, leading to public data leaks. Financial losses for affected organizations range from hundreds of thousands to millions of dollars (e.g., DC police attack cost an estimated $4 million in recovery). The most affected sectors include healthcare, government, and professional sports, with the ESXi variant crippling entire virtualized server farms.

🛡️ Mitigation

Defensive measures include patching Citrix ADC (CVE-2019-19781), disabling unused RDP ports, and enforcing multi-factor authentication. Detection rules can be implemented via YARA (e.g., rule Babuk_Ransomware_v1 from Florian Roth) and Sysmon process creation logs for vssadmin and bcdedit commands. Regular offsite backups and network segmentation reduce spread risk. MITRE ATT&CK ID: T1486 (Data Encrypted for Impact) and T1490 (Inhibit System Recovery). Public decryptors for early Babuk variants are available from No More Ransom project (2021).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.