Analyzing Babuk Ransomware
Babuk ransomware is a newly discovered ransomware threat in early 2021 that has attacked many big enterprises.
Hash of sample analyzed in this report:
18e299d4331ccff805275b21f33be0a3bd3d1d9ce72a79ba78d2f32dd657bfbb
Basic info of the sample:
The malware is a 32-bit executable and is not packed.
The first action is to gather heap information in the start function
Then checks for the arguments provided in the command line, using the function GetCommandLineW and parsed using CommandLineToArgvW function. These command line arguments allows control on order of encryption of local disk and network mounted drives. The next action is that the Shutdown level is set to ‘0’ so that the user cannot shutdown the machine (user can however force to reboot or shutdown the machine manually).
The malware then enumerates all services in the system using the Service Control Manager(OpenSCManagerA) and stop those which exist in a hardcoded list within the malware
Hardcoded list of processes to be stopped:
the malware uses the functions CreateToolhelp32Snapshot, OpenProcess and TerminateProcess functions for this.
The next action is deleting the shadow copies using Vssadmin with ShellExecuteW function.
Before starting the encryption process, contents of the Recycle Bin are deleted using the function SHEmptyRecycleBinA.
The encryption algorithm used here is the ChaCha algorithm. After encrypting the files in the folder, the malware drops a ransom note named “How to Restore Your Files.txt.”
