Babuk ransomware was discovered in January 2021 and operated a ransomware-as-a-service (RaaS) model before shutting down its operations in April. The group’s modus operandi is much like other RaaS operations, compromising organizations via phishing attempts or vulnerability exploits such as those used by
HAFNIUM to gain initial access. This is followed by exfiltration of sensitive data and encryption of key assets. A key focus for the group is to prevent any possibility of data recovery via the termination of ongoing applications and back-ups during exfiltration, which includes the deletion of Windows shadow copies and recycle bin.
Through its operations, the group has explicitly stated that they would not target hospitals, non-profit charities and schools, or any organizations with revenues less than USD4 million annually. Babuk has since shut down their operations, and have released full source codes of their ransomware builder and decryptor on a hacking forum.
Analyzing BabukUpon execution, Babuk encrypts all files on the victim’s machine while deleting away backups, preventing file recovery and system restore. This is then followed by a ransom note with a link to the Babuk Tor site.
Babuk ransom note
Running the attackIBM Security ReaQta reconstructs the breach, providing complete details of attacker tactics.
ReaQta’s Behavioural Tree showing the Babuk ransomware
ReaQta is equipped with ransomware protection capabilities to prevent any potential data encryption on endpoints. Any ransomware behavior is automatically blocked upon detection to ensure that sensitive data is protected.
vssadmin.exe delete shadows/all/quiet command is captured on the behavioral tree
There are several ways that ransomware malware developers can use as part of their backup prevention operation. The most common approach would be to delete Shadow Volume Copies, via
vssadmin.exe Delete Shadows /All /Quiet command as captured on the behavioral tree. This command executes vssadmin.exe utility to quietly delete allShadow Volume Copies on the machine. Shadow Volume Copies, which are usually done daily, provides the ability for manual or automatic backups, or snapshots even when files are in use.
This allows organizations to roll back Windows to a previous configuration should the need arise. Ransomware Groups such as Babuk design the ransomware with the ability to delete Shadow Volume copies upon an infection, preventing its usage to recover encrypted files.
“vssadmin.exe” delete shadows/all/quiet command via Command Prompt
Cyber criminals also use
wmic.exe shadowcopy delete to delete away Shadow Copies. While taking into account the varied mechanisms for backup deletion, ReaQta uses Detection Strategies (DeStra) to monitor for
vssadmin.exe and
wmic.exe activities.
DeStra is a real-time scripting engine that allows security operators to write custom detection and response rules, tailored to the needs and requirements of businesses. Should such techniques be employed, DeStra provides real-time alerts to the IT security teams and prevents the deletion of the backups via the termination of the vssadmin and wmic commands.
DeStra detection for process “vssadmin.exe” and “wmic.exe”
ReaQta autonomously stops Babuk in very early attack stages, effectively mitigating business interruptions. ReaQta’s AI automatically terminated all malicious processes and prevented the threat within seconds before closing the alert to reduce any additional actions required of security teams.
Babuk is automatically stopped by ReaQta within seconds
As ransomware attacks become more prevalent in today’s threat landscape, organizations should adopt adequate and necessary security measures to future-proof their businesses.
To learn about how organizations can stay safe against unknown attacks like ransomware, read more
here.