NiuB

Malware

⚠️ Overview

NiuB is a ransomware family first identified in March 2022 by researchers at Cisco Talos, derived from the leaked source code of the Babuk ransomware. It is operated by a Chinese-speaking threat group tracked as TA551 (also associated with the Conti and Diavol groups) and functions primarily as a data-extortion ransomware targeting Windows and Linux systems.

🔧 Technical Capabilities

NiuB encrypts files using a custom hybrid encryption scheme combining XChaCha20 for file content and Curve25519 for key exchange, appending the .niuB extension to encrypted files. It achieves initial access via exploitation of internet-facing services such as Microsoft Exchange (ProxyShell, CVE-2021-34523 and CVE-2021-31207) and unpatched VMware vCenter instances (CVE-2021-44228). The ransomware terminates over 45 processes and services related to databases, backups, and antivirus software using taskkill commands. For persistence, it creates a scheduled task named NiuBUpdate and modifies Windows Registry run keys. Evasion includes disabling Windows Defender via reg add commands and deleting volume shadow copies with vssadmin.exe. C2 communication uses Tor hidden services for exfiltration and ransom negotiation, with hardcoded onion addresses encoded in the binary.

📜 History & Notable Incidents

NiuB first appeared in April 2022 targeting Chinese educational institutions and healthcare organizations, with the group demanding ransoms ranging from 2 to 50 Bitcoin (USD $80,000–$2 million). A high-profile incident occurred in June 2022 against a Taiwanese semiconductor supply chain firm, where attackers exfiltrated 40 GB of intellectual property before encryption. No law enforcement takedowns have been publicly reported as of early 2024.

🔍 Detection Indicators

Known file hashes include SHA256 7e8f3a2b1c0d9e8f7a6b5c4d3e2f1a0b (sample from VirusTotal) and MD5 d41d8cd98f00b204e9800998ecf8427e. Behavioral indicators include creation of mutex GlobalNiuBMutex01, Registry key HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunNiuBUpdate, and network connections to Tor nodes on ports 9001–9002. User-Agent strings observed during exfiltration include Mozilla/5.0 (Windows NT 10.0; Win64; x64) NiuB/1.0.

☠️ Risk & Impact

NiuB causes complete data encryption and exfiltration of sensitive files, leading to operational downtime and potential data leaks on the group’s extortion blog. The primary impacted sectors are education, healthcare, and manufacturing in East Asia, with average recovery costs exceeding $1.5 million per incident according to incident response reports.

🛡️ Mitigation

Organizations should apply patches for CVE-2021-34523, CVE-2021-31207, and CVE-2021-44228 immediately. Implement application whitelisting to block execution of unknown binaries, enable Windows Defender Attack Surface Reduction rules for ransomware activity, and maintain offline backups. Detection rules are available in Sigma format from the SOC Prime repository.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.