Babuk Locker Ransomware builder has been leaked to the public on the internet, which will be more easily available for the threat actors of ransomware to modify and exploit a target as per the attacker’s requirement.
As per the security researchers, the Babuk locker ransomware is a dangerous threat as it could be created with a customized version of the ransomware which an attacker can use without any difficulty. And this ransomware can be used to encrypt the files hosted on windows Systems, VMware ESXI servers, ARM-based network storage devices (NAS).
Upon the encrypted files of Babuk ransomware, it also helps in decrypting the files for the encrypted victims. The ransomware gang announced the retirement from the operations which initially targeted the Washington, DC police Department in April 2021.
Somehow the Babuk ransomware builder was leaked online during earlier dates June 2021, it was found during the upload of the file from VirusTotal for malware scanning.
Kevin Beaumont the British security researcher, discovered the files and shared the copy to Record Media for reporting purposes as per the record.
However, the builder was leaked after the two weeks of the Paradise Ransomware source code leak. And security experts believe that low-level hackers can use it easily to attack their victims with simple or no customizations of the ransomware.
Indicators of Compromise (IoC) for Babuk Ransomware
Babuk Ransomware can be blocked by the defenders by having the observed IOCs details,
URLs
Contact site: hxxp://babukq4e2p4wu4iq.onion/login.php?id=<VICTIM_IDENTIFIER>
Dedicated Leaked site (DLS): hxxp://gtmx56k4hutn3ikv.onion
Hash
SHA256
- afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
- 704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320
- 1b9412ca5e9deb29aeaa37be05ae8d0a8a636c12fdff8c17032aa017f6075c02
- 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf
- 30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8
- 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
- 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053
- 3dda3ee9164d6815a18a2c23651a53c35d52e3a5ad375001ec824cf532c202e6
- ef326291febe84d6b39d2e5cea7e99a02407892729d688c27dcc444a2ae0b544
- 8140004ff3cf4923c928708505754497e48d26d822a95d63bd2ed54e14f19766
- ef326291febe84d6b39d2e5cea7e99a02407892729d688c27dcc444a2ae0b544
- 3dda3ee9164d6815a18a2c23651a53c35d52e3a5ad375001ec824cf532c202e6
- 1b9412ca5e9deb29aeaa37be05ae8d0a8a636c12fdff8c17032aa017f6075c02
- 30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8
- 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf
- 8140004ff3cf4923c928708505754497e48d26d822a95d63bd2ed54e14f19766
- 704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320
- 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
- afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
- c5167053129bd4a5542cfef9e739b0443e22e184cb4c0b57c049b448f030cf15
SHA1
- b040f2bdee3999aad415396f9f79e43b2aa9452b
- 9d9c33493aa0e1a12efe472e7cfc74bebec9a270
- 21febfb36da69c8a611a9eaee5cc826cfd5684d7
- 499c21991aecc205fd9c64784909d94eb34a9a71
- ca205a28b8dbd74c60fdeaf522804d5a2a45dd0b
- 320d799beef673a98481757b2ff7e3463ce67916
- 72cad5a81ce546b42844b5b8fc2ab55e99f2b5d4
- 7925725cfb04d796f497e5142cba62860fbf87a9
MD5
- be76ed428523b9aefe706aeaa72bb6b2
- 8b9a0b44b738c7884e6a14f4cb18afff
- e25e078255b56b47897ac96a7842de92
- 64f7ac45f930fe0ae05f6a6102ddb511
- dd7f88a68a76acc0be9eb0515d54a82a
- e10713a4a5f635767dcd54d609bed977
- 67e49cfcd12103b5ef2f9f331f092dbe
- 9478050023c7f8668df4fc39b0ddd79c
File Extensions
- .__NIST_K571__
- .babyk
Dropped Files for Babuk Ransomware
- How To Restore Your Files.txt
- %appdata%\\ecdh_pub_k.bin
- DECR.TXT (Early ‘Vasa Locker’ version)
Email ID [email protected]
Reference:
https://blog.cyberint.com/babuk-locker