Babuk

Malware updated a month ago (2024-11-29T14:33:37.474Z)
Download STIX
Preview STIX
Babuk is a form of malware, specifically ransomware, that infiltrates computer systems and encrypts files, rendering them inaccessible to the user. It typically infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations or hold data hostage for ransom. The Babuk sample discovered was found to be a 64-bit build for ESXi, created using a publicly available configurator. It uses standard encryption algorithms for Babuk builds for ESXi – X25519 + SHA256 + Sosemanuk, and applies the standard extension for encrypted files, *.babyk. The group behind this malware encrypts victims’ devices using two ransomware families: LockBit for Windows and Babuk for Linux (ESXi). In the final stage of the attacks, the threat actors deploy either LockBit or Babuk depending on the target infrastructure. This suggests a level of sophistication and adaptability in their approach. The group does not have its own malware strain, instead opting to use existing encryptors like Ragnar Locker and Babuk. Interestingly, the Babuk variant we discovered was designed for ESXi, a popular server virtualization platform, indicating a focus on targeting enterprise-level infrastructures. In response to the spread of Babuk, cybersecurity firm Avast released a decryptor for the Tortilla variant of Babuk ransomware. This tool greatly simplifies the process of decrypting files locked by the Tortilla variant of Babuk. Avast has also updated its free Babuk decryptor to handle Tortilla-encrypted files, making it available via the No More Ransom portal. This development provides relief for victims of the ransomware, allowing them to recover their encrypted files without having to pay the demanded ransom.
Description last updated: 2024-10-15T09:26:30.610Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Lockbit is a possible alias for Babuk. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or
8
Rorschach is a possible alias for Babuk. Rorschach, also known as BabLock, is a malware variant that has been recognized for its speed and sophistication. It is a form of ransomware that encrypts files on infected systems at an unprecedented rate, with Check Point researchers noting it as one of the fastest ransomware variants ever observe
4
RTM Locker is a possible alias for Babuk. RTM Locker is a recently emerged ransomware that targets enterprise systems, specifically Linux virtual machines on VMware ESXi servers. This malicious software was developed from the leaked source code of the now-defunct Babuk ransomware, which was made public by an alleged member of the Babuk grou
4
Tortilla is a possible alias for Babuk. Tortilla is a variant of the Babuk ransomware, a malicious software that encrypts victims' files and demands a ransom for their release. This malware, like others of its kind, can infiltrate systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can di
4
Dark Angels is a possible alias for Babuk. Dark Angels, a threat actor group with malicious intent, has emerged as a significant cybersecurity concern since its first appearance in May 2022. Known for their ransomware attacks, the group has been involved in several high-profile cybercrimes, targeting large corporations and stealing vast amou
2
Dunghill Leak is a possible alias for Babuk. The Dunghill Leak is a relatively new ransomware and extortion group that emerged from the Dark Angels ransomware, which itself originated from the Babuk ransomware. It first came to light in April 2023 when the Dark Angels launched their victim shaming site called Dunghill Leak. This platform, alth
2
Rapture is a possible alias for Babuk. Rapture is a prominent malware that has emerged as a significant threat in the cybersecurity landscape. It appears to have adapted and evolved from the Paradise crypto-locker source code, which leaked in mid-2021. Further enhancements were made using the Babuk source code that was leaked later the s
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Source
Esxi
Linux
Windows
Locker
Encryption
Extortion
Ransom
Payload
Malware
RaaS
Exploit
Ransomware P...
Vulnerability
Cybercrime
Vmware
Esxiargs
flaw
Cisco
Encrypt
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The REvil Malware is associated with Babuk. REvil, also known as Sodinokibi, is a malicious software (malware) that operates on a Ransomware as a Service (RaaS) model. This model became increasingly popular in 2020, with first-stage malware like Dridex and Gootkit being linked to ransomware attacks such as BitPaymer and REvil respectively. ThUnspecified
6
The Hive Malware is associated with Babuk. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostagUnspecified
5
The Conti Malware is associated with Babuk. Conti is a type of malware, specifically ransomware, which is designed to infiltrate and damage computer systems. This malicious software can enter systems through various methods such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personaUnspecified
5
The RTM Malware is associated with Babuk. RTM is a malicious software, first reported as the RTM banking Trojan, that was initially detected by vendors such as Symantec and Microsoft in 2017. This malware operates on Windows 7 RTM (7600) and was later updated to a variant known as Redaman. The leaked source code of RTM has been utilized to Unspecified
4
The Rook Malware is associated with Babuk. Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransomUnspecified
4
The Ragnar Locker Malware is associated with Babuk. Ragnar Locker is a type of malware, specifically ransomware, known for its destructive impact on computer systems. It infiltrates systems primarily through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ransUnspecified
2
The Babuk Tortilla Malware is associated with Babuk. Babuk Tortilla is a variant of malware, specifically ransomware, that was first discovered by Cisco Talos researchers in October 2021. This malicious software infiltrates computer systems, often unbeknownst to the user, through suspicious downloads, emails, or websites, and can cause significant harUnspecified
2
The Locker Ransomware Malware is associated with Babuk. Locker ransomware, a type of malware, poses significant risks to computer systems and data. Unlike crypto-ransomware which encrypts user data, locker ransomware locks users out of their devices entirely, demanding a ransom payment to restore access without any data encryption. This threat has evolveUnspecified
2
The Ryuk Malware is associated with Babuk. Ryuk is a type of malware known as ransomware, which has been utilized by the threat group ITG23 for several years. This group has been notorious for crypting their malware, with crypters seen in use with other malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware invesUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The DarkSide Threat Actor is associated with Babuk. DarkSide is a threat actor known for its malicious activities, primarily in the realm of ransomware attacks. One of their most notable exploits occurred on May 7, 2021, when they targeted Colonial Pipeline Co., a major player in the U.S. energy sector. The attack disrupted the gasoline supply acrossUnspecified
4
The Wazawaka Threat Actor is associated with Babuk. Wazawaka, identified by the FBI as Mikhail Matveev, is a significant threat actor in the cybercrime landscape. Known for his affiliations with multiple ransomware groups, including LockBit, throughout 2020 and 2021, he became a central figure in the Babuk ransomware-as-a-service gang. Matveev's operUnspecified
3
The Boriselcin Threat Actor is associated with Babuk. Mikhail Pavlovich Matveev, also known as Boriselcin, is a threat actor that has been implicated in significant cybercrime activities. Beginning at least as early as 2020, Matveev has been allegedly involved in deploying three ransomware variants: LockBit, Babuk, and Hive. These attacks targeted variUnspecified
3
The Mikhail Matveev Threat Actor is associated with Babuk. Mikhail Matveev, also known by the aliases Wazawaka, m1x, Boriselcin, and Uhodiransomwar, is a prominent threat actor associated with significant cybercrime activities. His involvement in the cybercrime world was traced back to 2020 and 2021 when he was identified as an affiliate of LockBit, a notorUnspecified
2
The Hive Ransomware Threat Actor is associated with Babuk. Hive ransomware, a prominent threat actor active in 2022, was known for its widespread malicious activities in numerous countries, including the US. The group's modus operandi involved the use of SharpRhino, which upon execution, established persistence and provided remote access to the attackers, eUnspecified
2
The Mikhail Pavlovich Matveev Threat Actor is associated with Babuk. Mikhail Pavlovich Matveev, a Russian national also known by online monikers Wazawaka, m1x, Boriselcin, and Uhodiransomwar, has been identified as a major threat actor in the world of cybersecurity. Matveev is among five Russians charged in connection with Lockbit, a group widely recognized as one ofUnspecified
2
The Alphv Threat Actor is associated with Babuk. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient pUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Proxyshell Vulnerability is associated with Babuk. ProxyShell is a vulnerability that affects Microsoft Exchange email servers, posing a significant risk to organizations worldwide. This flaw in software design or implementation allows attackers to exploit the system and gain unauthorized access. Since early 2021, Iranian government-sponsored APT acUnspecified
2
Source Document References
Information about the Babuk Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Checkpoint
16 days ago
InfoSecurity-magazine
16 days ago
Securityaffairs
25 days ago
Securelist
25 days ago
Securelist
2 months ago
Securityaffairs
4 months ago
Securelist
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
DARKReading
5 months ago
CERT-EU
a year ago
Securelist
5 months ago
Unit42
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
DARKReading
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago