Babuk ransomware was discovered in January 2021 and operated a ransomware-as-a-service (RaaS) model before shutting down its operations in April. The group’s modus operandi is much like other RaaS operations, compromising organizations via phishing attempts or vulnerability exploits such as those used by HAFNIUM to gain initial access. This is followed by exfiltration of sensitive data and encryption of key assets. A key focus for the group is to prevent any possibility of data recovery via the termination of ongoing applications and back-ups during exfiltration, which includes the deletion of Windows shadow copies and recycle bin.
Through its operations, the group has explicitly stated that they would not target hospitals, non-profit charities and schools, or any organizations with revenues less than USD4 million annually. Babuk has since shut down their operations, and have released full source codes of their ransomware builder and decryptor on a hacking forum.
Analyzing Babuk
Upon execution, Babuk encrypts all files on the victim’s machine while deleting away backups, preventing file recovery and system restore. This is then followed by a ransom note with a link to the Babuk Tor site.
Running the attack
ReaQta-Hive reconstructs the breach, providing complete details of attacker tactics.
ReaQta-Hive is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behavior is automatically blocked upon detection to ensure that sensitive data is protected.
There are several ways that ransomware malware developers can use as part of their backup prevention operation. The most common approach would be to delete Shadow Volume Copies, via vssadmin.exe Delete Shadows /All /Quiet command as captured on the behavioral tree. This command executes vssadmin.exe utility to quietly delete allShadow Volume Copies on the machine. Shadow Volume Copies, which are usually done daily, provides the ability for manual or automatic backups, or snapshots even when files are in use. This allows organizations to roll back Windows to a previous configuration should the need arise. Ransomware Groups such as Babuk design the ransomware with the ability to delete Shadow Volume copies upon an infection, preventing its usage to recover encrypted files.
Cyber criminals also use wmic.exe shadowcopy delete to delete away Shadow Copies. While taking into account the varied mechanisms for backup deletion, ReaQta uses DeStra to monitor for vssadmin.exe and wmic.exe activities. DeStra, also known as Detection Strategy, is a real-time scripting engine that allows security operators to write custom detection and response rules, tailored to the needs and requirements of businesses. Should such techniques be employed, DeStra provides real-time alerts to the IT security teams and prevents the deletion of the backups via the termination of the vssadmin and wmic commands.
ReaQta-Hive autonomously stops Babuk in very early attack stages, effectively mitigating business interruptions. ReaQta’s AI automatically terminated all malicious processes and prevented the threat within seconds before closing the alert to reduce any additional actions required of security teams.
As ransomware attacks become more prevalent in today’s threat landscape, organizations should adopt adequate and necessary security measures to future-proof their businesses.
To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.