The Washington D.C. Police Department at the Gunpoint of the Russian Babuk Ransomware Group

On April 26, the Washington D.C. Metropolitan Police Department (MPD) announced unauthorized access to their server by the Babuk ransomware. The attackers said they had more than 250 GB of classified data, which contains information about the activities of criminal groups and police intelligence reports. To confirm this, they posted some screenshots on their data leak site. McAfee reported that the folders allegedly stolen from the MPD are named “Gang Conflict Report,” “BLOODS” and “BEEFS — CONFLICTS.” There is no confirmed information about whether the MPD files are encrypted, but if so, they are at risk of double extortion.

The hackers criticized MPD’s security saying “We find 0 day before you” and asked for a ransom as soon as possible in order to stop their data leak.

Later, the criminals published the notice that they are going to close their RaaS business and make the Babuk ransomware’s code open source. Still, they plan to continue hacking organizations and exfiltrate data but without encryption.

Previously, at the end of February, the same happened to the British outsourcing company Serco, as a result of which the attackers requested double extortion. Later, in mid-April, the attack was directed at the Houston Rockets basketball team. The hackers threatened to release a huge amount of data including player contracts, nondisclosure agreements, and financial data, but internal security tools prevented the installation of ransomware and it had little or no impact on their work.

The ransomware program is a novelty of 2021 that has already attacked five large companies and earned at least $85,000. According to McAfee, Babuk currently targets transportation, healthcare, plastics, electronics, and agriculture.

Let’s take a look at how SpinOne would protect against Babuk ransomware.

First, the files had been encrypted on the local computer:

The dropped ransom note includes the address in the Tor network where a victim can find the proof of the compromise and contact the attackers.

The latest version uses the HC-128 algorithm for file encryption replacing ChaCha8, a reduced-round variant of ChaCha20 stream cipher with 8 rounds, used before. The key for file encryption is generated with the help of Elliptic-curve Diffie–Hellman (ECDH) that is usually used to generate a shared secret for two parties each having an elliptic-curve public-private key pair. To calculate the file encryption key (a shared secret), it is necessary to know a private key of one party and a public key of another. In our case, Babuk leaves a generated local public key in the ‘ecdh_pub_k.bin’ file in the %AppData% folder and deletes the corresponding local private key after encryption is completed. Therefore, the only way to get the file encryption key back is to know the attacker’s private key.

One of the previous versions of the cryptolocker adds the text at the end of every encrypted file mentioning a security researcher Chuong Dong who discovered a weakness of the encryption scheme in the early version of ransomware.

SpinOne Ransomware Protection successfully detects and stops the attack. Then, SpinOne recovers the encrypted files in the cloud.

The files on Google Drive have been successfully recovered by SpinOne:

Read also:

• https://spin.ai/solutions/ransomware-protection-saas-data/
• https://threatpost.com/babuk-ransomware-washington-dc-police/165616/
• https://www.itpro.co.uk/security/ransomware/358476/serco-babuk-ransomware-attack
• https://www.bloomberg.com/news/articles/2021-04-14/nba-s-houston-rockets-face-cyber-attack-by-ransomware-group
• https://www.mcafee.com/blogs/other-blogs/mcafee-labs/babuk-ransomware/
• https://www.bleepingcomputer.com/news/security/babuk-quits-ransomware-encryption-focuses-on-data-theft-extortion/