Babuk Locker Ransomware builder has been leaked to the public on the internet, which will be more easily available for the threat actors of ransomware to modify and exploit a target as per the attacker’s requirement.

As per the security researchers, the Babuk locker ransomware is a dangerous threat as it could be created with a customized version of the ransomware which an attacker can use without any difficulty. And this ransomware can be used to encrypt the files hosted on windows Systems, VMware ESXI servers, ARM-based network storage devices (NAS).

Babuk Ransomware builder

Upon the encrypted files of Babuk ransomware, it also helps in decrypting the files for the encrypted victims. The ransomware gang announced the retirement from the operations which initially targeted the Washington, DC police Department in April 2021.

Somehow the Babuk ransomware builder was leaked online during earlier dates June 2021, it was found during the upload of the file from VirusTotal for malware scanning.

Kevin Beaumont the British security researcher, discovered the files and shared the copy to Record Media for reporting purposes as per the record.

However, the builder was leaked after the two weeks of the Paradise Ransomware source code leak. And security experts believe that low-level hackers can use it easily to attack their victims with simple or no customizations of the ransomware.

Indicators of Compromise (IoC) for Babuk Ransomware

Babuk Ransomware can be blocked by the defenders by having the observed IOCs details,

URLs

Contact site: hxxp://babukq4e2p4wu4iq.onion/login.php?id=<VICTIM_IDENTIFIER>

Dedicated Leaked site (DLS): hxxp://gtmx56k4hutn3ikv.onion

Hash

SHA256

  • afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
  • 704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320
  • 1b9412ca5e9deb29aeaa37be05ae8d0a8a636c12fdff8c17032aa017f6075c02
  • 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf
  • 30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8
  • 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
  • 58ccba4fb2b3ed8b5f92adddd6ee331a6afdedfc755145e0432a7cb324c28053
  • 3dda3ee9164d6815a18a2c23651a53c35d52e3a5ad375001ec824cf532c202e6
  • ef326291febe84d6b39d2e5cea7e99a02407892729d688c27dcc444a2ae0b544
  • 8140004ff3cf4923c928708505754497e48d26d822a95d63bd2ed54e14f19766
  • ef326291febe84d6b39d2e5cea7e99a02407892729d688c27dcc444a2ae0b544
  • 3dda3ee9164d6815a18a2c23651a53c35d52e3a5ad375001ec824cf532c202e6
  • 1b9412ca5e9deb29aeaa37be05ae8d0a8a636c12fdff8c17032aa017f6075c02
  • 30fcff7add11ea6685a233c8ce1fc30abe67044630524a6eb363573a4a9f88b8
  • 550771bbf8a3e5625d6ec76d70ed86f6e443f07ce80ff73e47f8249ddd72a8cf
  • 8140004ff3cf4923c928708505754497e48d26d822a95d63bd2ed54e14f19766
  • 704a0fa7de19564bc743fb68aa0652e38bf86e8ab694bc079b15f945c85f4320
  • 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9
  • afcf265a1dcd9eab5aab270d48aa561e4ddeb71c05e32c857d3b809bb64c0430
  • c5167053129bd4a5542cfef9e739b0443e22e184cb4c0b57c049b448f030cf15

SHA1

  • b040f2bdee3999aad415396f9f79e43b2aa9452b
  • 9d9c33493aa0e1a12efe472e7cfc74bebec9a270
  • 21febfb36da69c8a611a9eaee5cc826cfd5684d7
  • 499c21991aecc205fd9c64784909d94eb34a9a71
  • ca205a28b8dbd74c60fdeaf522804d5a2a45dd0b
  • 320d799beef673a98481757b2ff7e3463ce67916
  • 72cad5a81ce546b42844b5b8fc2ab55e99f2b5d4
  • 7925725cfb04d796f497e5142cba62860fbf87a9

MD5

  • be76ed428523b9aefe706aeaa72bb6b2
  • 8b9a0b44b738c7884e6a14f4cb18afff
  • e25e078255b56b47897ac96a7842de92
  • 64f7ac45f930fe0ae05f6a6102ddb511
  • dd7f88a68a76acc0be9eb0515d54a82a
  • e10713a4a5f635767dcd54d609bed977
  • 67e49cfcd12103b5ef2f9f331f092dbe
  •  9478050023c7f8668df4fc39b0ddd79c

File Extensions

  • .__NIST_K571__
  • .babyk  

Dropped Files for Babuk Ransomware

  • How To Restore Your Files.txt
  • %appdata%\\ecdh_pub_k.bin
  • DECR.TXT (Early ‘Vasa Locker’ version)

Email ID   [email protected]

Reference:

https://blog.cyberint.com/babuk-locker

https://www.fr.sogeti.com/globalassets/france/avis-dexperts–livres-blancs/cybersecchronicles_-_babuk.pdf

By Michael

Writer of Infohaunt is an Cyber Security Professional have experience in SOC operations, Threat Management, Incident Response, Threat Hunting, Digital Forensics.