Babuk Ransomware Builder Mysteriously Appears in VirusTotal

  • The gang’s source code is now available to rivals and security researchers alike – and a decryptor likely is not far behind.

    The Babuk ransomware gang’s source code has been uploaded to VirusTotal, making it available to all security vendors and competitors. It’s unclear however just how that happened.

    According to a Wednesday posting from Malwarebytes, the operators of the ransomware – perhaps best-known for hitting the Washington D.C. police force in April – had told its underground forum audience that it was getting out of the encryption biz. The crooks instead promised to pivot to a steal, leak and shame approach focused on data theft and extortion.

    According to Malwarebytes, the group announced:

    “Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement,” read the hacker-forum post. Separately, it wrote, “The Babuk project will be closed, its source code will be made publicly available, we will do something like open-source RaaS, everyone can make their own product based on our product.”

    The “open-source ransomware-as-a-service” approach is something seen recently when the Paradise gang uploaded its source code to a hacking forum.

    After the D.C. incident, it could be that the gang was feeling the heat from law enforcement – several ransomware crews, including the Darkside group responsible for the Colonial pipeline attack, have cited increased and unwelcome scrutiny from international law enforcement as a reason to alter their target choices and crimeware approaches.

    The announcement was met with skepticism from the security community, and indeed, operations didn’t seem to cease. Babuk did, however, rebrand its leak site as “Payload.bin,” taking its own name out of it.

    “It needs to be said that the Babuk operators were always a bit fickle in their communications. One moment they would announce something, only to delete it shortly after and issue a new statement,” according to Malwarebytes’ posting. “As our esteemed colleague Adam Kujawa, director of Malwarebytes Labs said when Maze announced its retirement, ‘ransom actors are professional liars and scammers; to believe anything they say is a mistake.’”

    But now, two months later, the Babuk builder used to create the ransomware’s unique payloads and decryption modules has been made public, researchers said. And it’s puzzling why.

    “It has been a while since malware authors were dunce enough to upload their work to [VirusTotal] VT to check whether it would be detected by the anti-malware industry or not,” according to Malwarebytes. “The vendors that cooperate on VT have access to any files uploaded there. So, if their freshly created malware was not detected immediately, it would be soon after. Since those days, malware authors have their own services to run these checks without sharing their work with the anti-malware vendors…By uploading the builder to VirusTotal they were basically making the source code available.”

    Independent researcher Kevin Beaumont said he “stumbled upon it” in VT while looking at a sandbox.

    Ransomware leak time – Babuk’s builder. Used for making Babuk payloads and decryption.

    builder.exe foldername, e.g. builder.exe victim will spit out payloads for:

    Windows, VMware ESXi, network attached storage x86 and ARM.

    note.txt must contain ransom.

    — Kevin Beaumont (@GossiTheDog) June 27, 2021

    He also said that the code “spits out” decryptors for certain versions of the malware. Malwarebytes meanwhile said it’s working to understand if the builder contains enough information to create a Babuk decryptor.

    The specific code is for building malware that targets Windows systems, VMWare ESXi servers, and ARM-based network-attached storage (NAS) devices, according to a separate report from BleepingComputer. Meanwhile, new Babuk attacks are launching using the leaked information, the outlet said, with the criminals asking for just .06 Bitcoin per attack – about $210.

    Why Upload the Babuk Builder to VirusTotal?

    The agents behind the VT upload of Babuk are not clear. There are a few potential scenarios, though.

    For one, it could be rival ransomware gangs looking to basically kneecap the Babuk crew and get them out of the way. That’s a possibility that researchers said would make sense only if competitors felt very strongly about Babuk making good on its promise to get out of ransomware operations.

    Another possibility is that a random person stumbled across the file and was curious as to whether it was malicious. However, as researchers noted, “it is very unlikely that someone would get this file without knowing what it is.”

    Two other options – both unlikely, according to the analysis – are that 1) a Babuk affiliate wanted to check if the code is detectable by antivirus; or 2) this is the roundabout way that Babuk decided to make its code open-source.

    In both scenarios, it’s more likely that the holder of the file would use the regular cybercrime network channels for such activities, according to the firm.

    “They would use a service that does not share it with anti-malware vendors,” for the former option, researchers said – and as for the later hypothetical, “they would certainly have made this known through their usual channels, if this was the plan.”

    It remains a mystery – for now.

    “Maybe we have missed the scenario that describes what really happened,” Malwarebytes researchers noted. “Another fact that may be of consequence, somehow, is that researchers found several defects in Babuk’s encryption and decryption code. These flaws show up when an attack involves ESXi servers and they are severe enough to result in a total loss of data for the victim.”

    Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.