Articles Babuk decryptor not working and corrupting victims' data

Babuk decryptor not working and corrupting victims’ data


McAfee experts released a report on Babuk ransomware, in which they concluded that attempts to make the malware cross-platform and use it against Linux / UNIX and ESXi or VMware have failed.

Let me remind you that at the beginning of the year, the creators of Babuk reported that they had developed a version of the ransomware for * nix, since many backends in large companies do not run under Windows at all. However, according to the researchers, the ransomware was written with many errors that “led to irreversible data corruption.”

“It looks like Babuk ran a live beta test on its victims when it came to developing the Golang binary and decoder. We observed that several victims’ machines were encrypted without the possibility of data recovery due to a faulty binary and a faulty decryptor, ”write the McAfee experts.

Thus, even if the victim agrees to pay the ransom to the hackers, it will not be possible to decrypt the affected files. Experts hope that this will ultimately affect the relationship of Babuk developers with “partners” who are directly involved in attacks and infect networks of victims with malware. If victims cannot get their data back even after paying the ransom, their grievances will turn to Babuk’s “partners”.

Since destroying data instead of encrypting it is less profitable from the point of view of criminals, experts believe that it was the complete inoperability of the * nix version of Babuk and the decryptor that forced hackers to switch to data theft and extortion, abandoning encryption.

Let me remind you that earlier this year, Babuk’s operators announced  that they were shutting down (after a  loud attack  on the Washington police department). It is believed that the hackers renamed their “leak site” to Payload.bin, and were ready to provide it to other criminals as a third-party hosting, where someone’s files can be leaked without starting their own site for this purpose, as well as as a platform on which ransomware, access brokers and other criminals will be able to “meet”. Indeed, recently, almost all major hack forums have  banned  any discussion related to ransomware and ransomware. However, things do n’t seem to be going well for the group., and the forum was unable to gain popularity, but was subjected to DDoS attacks and suffered from various bugs.

As for the failed Babuk decryptor, the researchers tell the following about it:

“In general, the decryptor is bad because it only looks for the .babyk extension and skips any files the victim might have renamed in an attempt to recover them. In addition, the decryptor checks if the file is larger than 32 bytes, since the last 32 bytes are later combined with other hard-coded values ​​to obtain the key. This is bad design, because those 32 bytes might be garbage, not a key. “

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Critical Infrastructure Warning! Millions of PLCs, switches, IoT devices are under threat

Eleven vulnerabilities, combined under the name Urgent / 11,...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you