New Ransomware Babuk Locker Targets Large Corporations

Despite being a mostly run-of-the-mill ransomware strain, Babuk Locker’s encryption mechanisms and abuse of Windows Restart Manager sets it apart.

Only a few days into the new year, one of the first new ransomware strains of 2021 has been discovered. Dubbed Babuk Locker, the ransomware appears to have successfully compromised five companies thus far, according to new research.

The research author, Chuong Dong, a computer science student at Georgia Tech, said that he first saw the ransomware mentioned in a tweet by a security researcher who goes by “Arkbird” on Twitter. He then discovered information about Babuk on RaidForums, which is a forum for sharing databases of breaches and leaks.

Dong said, according to the website embedded in Babuk’s ransom note, and based on information from the RaidForums leaks, the ransomware has successfully compromised five different companies worldwide. According to a report by BleepingComputer, these victim companies range from a medical testing products manufacturer to an air conditioning and heating company in the U.S. — and at least one of the companies has agreed to pay an $85,000 ransom.

While Babuk has some hallmark characteristics that range from unsophisticated to run-of-the-mill, it also touts more novel tricks, specifically when it comes to encryption and the abuse of legitimate Windows features, said Dong.

“Babuk is a new ransomware that started at the beginning of this year,” said Dong in an analysis this week. “Despite the amateur coding practices used, its strong encryption scheme that utilizes Elliptic-curve Diffie–Hellman algorithm has proven effective in attacking a lot of companies so far.”