Don’t pay Babuk ransomware hackers; their decryptor doesn’t work and hackers themselves can’t do anything

A McAfee security report notes that Babuk ransomware operators have been implementing some new attack mechanisms to infect Linux, UNIX, and VMware systems, which would allow for the engagement of high-profile organizations that use these systems. A striking feature of these new practices is the use of the cross-platform language Golang for binary writing.

This could bring disastrous consequences, as researchers report the discovery of some Babuk-infected systems that simply cannot be reset due to the use of a faulty binary or a faulty decryption tool.

Researchers Thibault Seret and Noël Keijzer mention: “Victims could give in to the demands of hackers and still not be able to recover their files. This changes the dynamics from extortion to the total destruction of the affected files, which we believe is not part of the hackers’ plan as it directly impacts their profits.”

A conventional Babuk attack involves three different phases: initial access, propagation on the affected network, and attack on the target; this last phase involves the installation of a Cobalt Strike backdoor that completes the malicious actions. However, the binary used by threat actors for Windows systems is poorly implemented and includes multiple design flaws that could result in irreversible corruption of the compromised data.

Another major change in Babuk came a few weeks ago after the unsuccessful attack on the U.S. Police Department. This failure led Babuk’s hackers to change their methodology, announcing that they would stop encrypting systems to focus on extracting sensitive information, as well as promising that the ransomware employed in their attacks would become an open source project.

This might seem like good news for affected users, although in some cases the damage has already been done. Files encrypted from considerable number of victims will no longer be able to be recovered due to misapplication of encryption and poor development of decryption tool. Researchers believe it highly likely that Babuk’s developers have noticed this phenomenon, so they decided to modify their operations.

The latest known hacking incident linked to Babuk is the leak of the source code of the video game Cyberpunk 2077. After that, the hacking group has remained inactive, probably due to the transition to its new criminal scheme.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.