Critical Infrastructure Security, Cybercrime, Cybercrime as-a-Service
Code to generate unique copies of crypto-locking malware uploaded to VirusTotal
Mathew J. Schwartz (euroinfosec) •
June 29, 2021
The code used to make copies of the Babuk ransomware – to infect victims with the crypto-locking malware – was leaked after someone uploaded the software to the VirusTotal malware scanning service on Sunday.
The VirusTotal upload, the discovered by British security researcher Kevin Beaumont, contains a Windows executable called “Babukbuilder” which Beaumont says is “used by the Babuk ransomware group to create Babuk payloads and decrypters”.
Whether the leak was accidental or deliberate – perhaps a rival gang who tried to burn the operation down – remains unclear.
Builders are used to generate malicious executables – also known as payloads – that are deployed on victims’ systems by attackers with ransomware. They can be used by the operators of a ransomware gang or by third party vendors working with the group and are usually designed to vary the executable that is generated each time so that it doesn’t match signatures for known malicious code.
Ransomware Leak Time – Babuks Builder. Used for Babuk payload creation and decryption.
builder.exe folder name, e.g. builder.exe victim spits out payloads for:
Windows, VMware ESXi, Network Attached Storage x86 and ARM.
note.txt must contain ransom.https: //t.co/K3J3zr1XBv pic.twitter.com/1bl7oc0TvO
– Kevin Beaumont (@GossiTheDog) June 27, 2021
How the code was uploaded to a malware checking service remains unknown. Malware developers typically use other methods provided through the Cybercrime-as-a-Service ecosystem to see if antivirus scanners are flagging a particular executable as malicious. However, the wrong file may have been uploaded by mistake by Babuk or one of his partners or users. Or the upload could have been the work of a rival gang or an unfortunate business partner who tried to burn the operation.
The Babuk Builder, says Beaumont, generates code that works on “Windows, VMware ESXi, Network-Attached Storage x86 and ARM”, each based on the Microsoft operating system, as well as a widely used VMware hypervisor and NAS devices. Many companies rely on NAS as part of their backup and recovery strategy, which means that if attackers can crypto-lock not only Windows PCs but such backups as well, more victims may be forced to pay a ransom for the promise they make a decryption tool to recover data.
Cybersecurity firm Recorded Future’s news site, The Record, said it received a copy of the builder from Beaumont and verified that it was working as advertised. It is also reported that the leak follows the source code of the Paradise ransomware posted on the Russian-language XSS cybercrime forum earlier this month, although nothing suggests that the two incidents are linked.
These aren’t the only times ransomware-generating source code has been around. Last year, for example, the attacks were traced back to a group of Persian-speaking hackers operating out of Iran who appeared to be using the Dharma ransomware for financially motivated attacks on targets in China, India, Japan and Russia. Dharma, also known as CrySis, first appeared in 2016, after which several variations began to circulate, some of which were offered for sale. Last year, in particular, the source code for such a Dharma variant was sold for $ 2,000 via a Russian cybercrime forum, which, according to the security company Sophos, was apparently geared towards beginners with low-skilled attackers – also known as script kiddies.
Babuk is renamed to Payload.bin
It is also unclear whether the Babuk source code leak was due to an older version of the company’s ransomware. Notably, Babuk was recently renamed Payload.bin, also known as PayloadBin.
Confusingly, the infamous criminal gang Evil Corp then appeared to have renamed its ransomware WastedLocker – also known as PhoenixLocker and Hades – to PayloadBin, says Fabian Wosar, CTO of security firm Emsisoft. He said the “rebranding” was still referring to the WastedLocker executable and appeared to be “an attempt to induce victims to break OFAC rules,” referring to US sanctions that would allow anyone – including ransomware victims – ban without prior US Treasury Department approval.
Switch to a ransomware-as-a-service model
Babuk’s rebranding followed the April operation which reported it would stop its own attacks and use a ransomware-as-a-service model instead.
Whether the statements of these ransomware operations are true remains unknown. Many of their claims turn out to be little more than self-marketing twists, if not lies (see: Ransomware gangs play with victims and the public).
The RaaS approach that Babuk has claimed is now being practiced is for the operator to create ransomware code and offer it to affiliates who will take the code and infect victims’ systems. Whenever a victim pays, the responsible subsidiary keeps most of the profit while the operator receives the rest.
Affiliates often work with multiple RaaS operations, and some experts say that many operations try to attract the best criminal hackers by offering more advanced attack code as well as accompanying services such as: B. Data leak sites to force victims to pay, as well as ransom payments negotiation teams and better profit-sharing agreements.
However, as the leak in Babuk’s source code shows, well-designed business plans don’t always go according to plan.
In fact, this is the second major setback the group has seen recently. In particular, the alleged move to a RaaS approach appeared to be a duck-and-cover maneuver after public and political outrage sparked after the operation attempted to blackmail police in Washington, DC. In fact, there have been a number of high profile attacks against US targets over the past few months that have resulted in multiple ransomware operations that promised to narrow or even withdraw partners’ target lists. In particular, the Avaddon Operation announced its closure and released all encryption keys victims need to decrypt their systems (see: “Fear” likely drove Avaddon’s exit from ransomware Fray). Whether or not this operation or its actors will return in a renamed form remains to be seen.