BABUK, here we go again.
I’ve read this morning in https://www.securityweek.com/new-babuk-based-ransomware-targeting-organizations-in-us-korea/ that a new group self-named as “RA Group” is using the infamous Babuk ransomware. This is just another iteration of Babuk code retooling (I’ve lost count of them…) since it was leaked to the wild around March 2021. Before the code leak it was RaaS as good as it got. Since the leak, it is “Ransomware for free”, plain and simple. The original Babuk group ceased activities a little before the leak, but their nefarious wares are still living today, thanks to an alleged disgruntled member (or not, this, we will never know).
It has taken “RA Group” just a week, since they premiered their leaks site, — not very fancy as far it is new, but fit for purpose- to post data about 4 victim organizations. And that’s the thing with Babuk code: it’s efficient and that has been established by its continuous effectiveness.
Why is RA Group efficient?
Because it inherits its capabilities from the Babuk code.
From a procedure perspective, is able to produce custom ransom notes. That does not necessarily means that it is conveying targeted attacks, but in this case it is so, as far as the code is refactorized for each victim. It also means that it is launched from a sophisticated dashboard able to generate the custom notes and do the adequate delivery. As far as it seems to be able to include a detailed list of the different kinds of data exfiltrated, that suggests the need for some human analysis of the stolen data and a good information gathering phase beforehand.
The sources call it a double extortion procedure, but as far as they are also selling the stolen data in their TOR site, that, in my mind, is a triple extortion.
The attack vector is unknown but being ransomware, that is a “commodity”, it might well be one of the usual suspects: phishing emails with malicious URLs, weak or stolen credentials, or dark web access-for-sale credentials.
The malicious code has a no-nonsense approach: sophisticated enough to get the ransomware attack done but simple enough to work seamlessly.
· It uses a Mutex inherited from Babuk to avoid race condition runtime exceptions, very useful when you are multi-threading to get all files encrypted ASAP.
· Enumerates all drives, simply by checking against a hardcoded string of the letters of the alphabet. That cannot fail.
· Lives off-the-land: share$ and other network resources enumeration is done via calls to the WinAPI procedure NetShareEnum (32 bits, if my memory serves me right).
· Once the enumeration is completed, it triggers the file encryption, except for the directories needed to keep the victim computer working (and the hostage able to pay the ransom). And it does it with a twist: using the WinAPI CryptGenRandom function to generate random bytes that are used as private key for each victim. It is also used to invoke an open-source cypher suite that uses curve25519 for key exchange -Diffie-Hellman style- and eSTREAM cipher hc-128 as stream cypher. (Exotic! These, I had to google them out. From what I’ve read, it turns out that they are extremely fast which is very convenient for a hit-and-run attack.)
Files are only partially encrypted to speed up the process and are renamed to the extension .GAGUP.
· Obviously the paperbin is deleted. Also, the VSS service is stopped, the available Volume Shadow Copies are enumerated and deleted to forbid sources of data restoration. A WinAPI call to ShellExecuteW invokes a cmd shell that includes a string to execute the OS tool vssadmin.exe inside it (more living-off-the-land). And the enumeration is performed via a WMI query, the good old “SELECT * FROM Win32_ShadowCopy”. With the Shadow Copies IDs enumerated, deleting them is just a DeleteInstance method away. Simple, but effective.
About attribution, is too early to tell, although from the victimology so far, if a nation-state is behind this, it smells like a “Chollima”. If it’s just another random cybercrime group, it will probably disappear or mutate before categorization.
Detection and Response
NextGenAVs, EDR/XDRs and other defensive tools are mostly blind to whatever happens in runtime. Memory scanning while execution is expensive in terms of performance, because you usually need to scan it multiple times while an application is running and listen to the correct triggering operations to find malicious patterns. Or you could just scan your 4GB of virtual memory, looking for high profile parameters in specific memory locations, at specific intervals. On the first case, you are too slow to find malicious activity, on the latter, you have to get very lucky to detect the patterns. To thwart this kind of attacks we need something new. Gartner has included AMTD (Automated Moving Target Defense) in its “Emerging Technologies 2022 Report” as one of the new technologies to watch closely.
AMTD works in the same way as the attackers do, using mutation and polymorphism to gain stealthiness, as it is a deception technology. Once an application is loaded into memory (or a user interacts with it) is morphed and moved to a different memory location, while leaving a skeleton copy in the original memory location. The application memory runs without problem within the morphed structure and the skeleton copy serves as a decoy/trap to any malware trying to attack the original memory location. The malicious code tries to inject itself into the skeleton where it becomes harmless and easily detectable by detection and response tools.
It is a paradigm change because changes reactive defense into proactive prevention, as defined by the Homeland Security US Department: “Controlled change across multiple network and system dimensions to increase uncertainty and complexity for attackers by reducing their window of opportunity and increasing the costs of their probing and attack efforts.”
That’s exactly what we need; to make it difficult for Mallory.
