Black Arrow Tarlogic’s threat hunting team analyzes Babuk’s source code to unravel how one of the most active ransomware of 2021 operates
Cybersecurity is not a world of freebies. It stands to reason: any leak is, by definition, a sign of a job poorly done. Or that something is wrong. This is probably why the release of Babuk’s source code, one of the most active ransomware of 2021, has generated unusual expectations.
In the last days, rivers of ink have flowed trying to decipher the keys to an episode surrounded by a certain aura of mystery. The unofficial version maintains that one of the group’s member suffered a honesty attack given by his medical condition: he suffers from terminal cancer.
The illness would have led him to release Babuk’s source code on a Russian hacking forum hosted on the dark web. There is, however, a growing controversy in some forums about the veracity of this story.
Doubts fueled by the internal conflicts that this ransomware group has experienced in recent months. A very notorious group in Spain since last April, when The Phone House became one of its many victims.
Anyway, the leak has provided researchers with valuable material to decipher how these groups operate and think. Material that is not very common for them to get their hands on. Aware of this, the threat hunting team at Tarlogic Security has been studying the Babuk’s source code in depth over the past week.
This work has allowed us to draw some very interesting lessons for the future. Not only to prevent new incidents associated with this ransomware. Also to identify techniques used by this group to increase the effectiveness of their cyberattacks.
José Lancharro, director of BlackArrow, the offensive and defensive services division of Tarlogic Security, and José Miguel Gómez-Casero, manager of Threat Hunting at Black Arrow, have led this high-level analysis. An effort that yields some striking conclusions.
The first is the effort made by Babuk’s creators to design less noisy ransomware. José Miguel explains it very graphically: «There are two types of ransomware, the typical one that hogs all the CPU and consumes a lot of resources, and others that make an effort to control the resources they consume so that it’s not so easy to track them».
Babuk is one of the latter. And it does so in a somewhat ingenious way. The malicious code calculates the processors at its disposal once inside the attacked systems and estimates the resources it can use.
It will then decide how much CPU to absorb to propagate the attack, but without actually gobbling up all the resources.The latter is a signal that could alert the systems team.
«When a computer consumes a lot of resources, something strange is going on -says José Lancharro-. This ransomware wants to go below that threshold so as not to be detected».
But that is not the only singularity detected in Babuk’s source code. Black Arrow’s Threat Hunting manager focuses on another additional mechanism detected in the ransomware to increase its effectiveness: a routine to stop system processes and services.
With this mechanism, the ransomware manages to stop all the processes and services included in a previously prepared list. These are very common processes that computers often launch or keep running in the background: winword.exe, wordpad, Oracle…
Many of them, services related to antivirus or backup processes. There is in fact in Babuk a call to a command that disables Shadow Copy, the Windows application for creating backups or snapshots of files, even when they are being used.
In this way, ransomware not only seeks to spread itself more widely throughout the victim’s systems. It also hampers the ability to have a backup to minimize possible damage.
There is a third element in Babuk’s source code that Lancharro and Gómez-Casero mention. In this case, a particularity that, in their opinion, would facilitate detection if the company or entity under attack has advanced cybersecurity services.
Babuk isn’t very selective about the files and protocols it encrypts. In fact, it only excludes three extensions: .exe, .ddl and, obviously, .babuk.
This way of operating, BlackArrow argues, slows down the ransomware’s penetration rate because it encrypts much more information, including some that could be considered «not very valuable».
«It gets distracted by encrypting things that don’t have much value. And that gives the hunter time to react before valuable information is encrypted», argues José Miguel.
However, the director of BlackArrow points out, «if you don’t detect it, it will encrypt all kinds of information, which although not all of it has the same value, it could be important in a forensic analysis process». Babuk even encrypts the .logs files, which will be a serious problem for investigating the episode if the ransomware gets away with it.
What they both agree on is that the leak of Babuk’s source code has once again highlighted the need for protection faced by companies and government agencies.
This need is becoming more pressing with each passing day. Services such as threat hunting, red team, blue team, pentesting, or hardening will become non-negotiable for all kinds of companies and organizations.
Hostile actors «don’t always reinvent themselves, they don’t always create new things, but what they do is almost always faster than companies», warns Gómez-Casero.
In this sense, José Lancharro explains that a good threat hunting service has to be based on assumptions of commitment, so it has to start from an unsettling principle: «That we are committed». By putting yourself in the enemy’s shoes, gutting and anticipating their techniques, and not just being reactive to the attack, you will optimize your effectiveness in the face of any attack.
This is what cybersecurity looks like…