A New Year brings in new things, and one of those is a new piece of encrypting ransomware. Babuk has recently started targeting companies scarcely one week into 2021.
Analysis by security researcher Chuong Dong reveals that while the attack techniques are standard fare, its use of ChaCha8 encryption is not. Additionally, Babuk seems to be customized per victim, with the ransom note directing the victim to a Tor site. The ransomware operators use a chat screen on this Tor site to negotiate with the victim and to prove that they can decrypt the files. They also threaten to extort the victim by showing them that they have unencrypted versions of the files captured during the attack.
Current reporting indicates that this ransomware operation is targeting corporations, with five publicly announced victims so far. They do not appear to be targeting any specific industry or region, the known victims are:
- A US based heating and air firm
- A German diagnostics healthcare firm
- A vehicle parts manufacturer
- A furniture manufacturer
- An elevator and escalator firm
Babuk is currently in the form of an executable (.exe) file, and due to the targeted nature of this attack, the use of phishing emails or infected documents is suspected.
While this particular piece of ransomware is new, the defensive methods are the same. Stay vigilant, and take care in this New Year.
