Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.
| Title | Available | Last Visit | FQDN | Screenshot |
|---|---|---|---|---|
| Babuk - Leaks site | 🔴 | 2024-02-26 07:35:58.320788 | nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion | N/A |
| Discovery | RMM Tools | Defense Evasion | Credential Theft | OffSec | Networking | LOLBAS | Exfiltration |
|---|---|---|---|---|---|---|---|
| File[.]io |
This information is provided by Ransomware-Tool-Matrix
| Name | # Msg | Initial Ransom | Negotiated Ransom | Paid |
|---|---|---|---|---|
| 20210203 | 106 | N/A | N/A | |
| 20210428 | 44 | N/A | N/A |
This information is provided by Valéry Marchive
| Employees(s) | Customer(s) | Third Party Employee(s) |
|---|---|---|
This information is provided by HudsonRock
You're leaving the Ransomare.live site. Do you want to continue?
/*
Babuk ransomware
*/
rule Babuk_ESXi
{
meta:
author = "rivitna"
family = "ransomware.babuk.esxi"
description = "Babuk ESXi"
severity = 10
score = 100
strings:
$h0 = "/dev/urandom\x00" ascii
$h1 = "EiB\x00PiB\x00TiB\x00GiB\x00MiB\x00KiB\x00B\x00" ascii
$h2 = "crypting: %s\n\x00" ascii
$c0 = { 67 E6 09 6A [2-8] 85 AE 67 BB [2-8] 72 F3 6E 3C [2-8]
3A F5 4F A5 [2-8] 7F 52 0E 51 [2-8] 8C 68 05 9B }
$c1 = { 98 2F 8A 42 91 44 37 71 CF FB C0 B5 A5 DB B5 E9
5B C2 56 39 F1 11 F1 59 A4 82 3F 92 D5 5E 1C AB }
$c2 = { 79 37 9E 89 [4-16] C1 C? ( 15 | 0B ) [16-40] 79 37 9E 89 }
condition:
(uint32(0) == 0x464C457F) and (filesize < 120000) and
(
(all of ($c*)) and (1 of ($h*))
)
}