Published on January 04, 2022

Babuk Ransomware (RaaS): Back-up Deletion and how to stop it

Babuk ransomware was discovered in January 2021 and operated a ransomware-as-a-service (RaaS) model before shutting down its operations in April. The group’s modus operandi is much like other RaaS operations, compromising organizations via phishing attempts or vulnerability exploits such as those used by HAFNIUM to gain initial access. This is followed by exfiltration of sensitive data and encryption of key assets. A key focus for the group is to prevent any possibility of data recovery via the termination of ongoing applications and back-ups during exfiltration, which includes the deletion of Windows shadow copies and recycle bin.

Through its operations, the group has explicitly stated that they would not target hospitals, non-profit charities and schools, or any organizations with revenues less than USD4 million annually. Babuk has since shut down their operations, and have released full source codes of their ransomware builder and decryptor on a hacking forum.

New call-to-action

Analyzing Babuk

Upon execution, Babuk encrypts all files on the victim’s machine while deleting away backups, preventing file recovery and system restore. This is then followed by a ransom note with a link to the Babuk Tor site.

Babuk ransom note

Running the attack

ReaQta-Hive reconstructs the breach, providing complete details of attacker tactics.

ReaQta-Hive’s Behavioural Tree showing the Babuk ransomware

ReaQta-Hive is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behavior is automatically blocked upon detection to ensure that sensitive data is protected. 

vssadmin.exe delete shadows/all/quiet command is captured on the behavioral tree

There are several ways that ransomware malware developers can use as part of their backup prevention operation. The most common approach would be to delete Shadow Volume Copies, via vssadmin.exe Delete Shadows /All /Quiet command as captured on the behavioral tree. This command executes vssadmin.exe utility to quietly delete allShadow Volume Copies on the machine. Shadow Volume Copies, which are usually done daily, provides the ability for manual or automatic backups, or snapshots even when files are in use. This allows organizations to roll back Windows to a previous configuration should the need arise. Ransomware Groups such as Babuk design the ransomware with the ability to delete Shadow Volume copies upon an infection, preventing its usage to recover encrypted files.

“vssadmin.exe” delete shadows/all/quiet command via Command Prompt

Cyber criminals also use wmic.exe shadowcopy delete to delete away Shadow Copies. While taking into account the varied mechanisms for backup deletion, ReaQta uses DeStra to monitor for vssadmin.exe and wmic.exe activities. DeStra, also known as Detection Strategy, is a real-time scripting engine that allows security operators to write custom detection and response rules, tailored to the needs and requirements of businesses. Should such techniques be employed, DeStra provides real-time alerts to the IT security teams and prevents the deletion of the backups via the termination of the vssadmin and wmic commands. 

DeStra detection for process “vssadmin.exe” and “wmic.exe”

ReaQta-Hive autonomously stops Babuk in very early attack stages, effectively mitigating business interruptions. ReaQta’s AI automatically terminated all malicious processes and prevented the threat within seconds before closing the alert to reduce any additional actions required of security teams.

Babuk is automatically stopped by ReaQta-Hive within seconds

As ransomware attacks become more prevalent in today’s threat landscape, organizations should adopt adequate and necessary security measures to future-proof their businesses. 

New call-to-action

To learn more about what makes ReaQta unique, please visit Why ReaQta and apply for a demonstration.