Fraud Management & Cybercrime , Fraud Risk Management , Ransomware

PR Campaign: Babuk Ransomware Gang Claims Decryptor Repaired

Gang Issued Statement After Emsisoft Found Decryptor Flaw
PR Campaign: Babuk Ransomware Gang Claims Decryptor Repaired
The message Babuk posted to its website

The Babuk ransomware gang launched a public relations campaign Saturday, posting a message on its website saying it had repaired a defect in the decryptor it provides to victims who pay the ransom demand.

See Also: Fireside Chat | Levers of Human Deception: The Science and Methodology Behind Social Engineering

"Message for journalists. Hi. We are the babuk team and we are always improving our software: Not so long ago, Emisoft found a bug in our ESX descriptor, it broke some vhdx disks of the Vmware hypervisor," the note says. "We immediately corrected this error."

When commenting on Babuk taking responsibility for an April 14 ransomware attack against the Houston Rockets basketball team, Brett Callow, a threat analyst with the security firm Emsisoft told Information Security Media Group that Babuk's decryptor destroys the files it decrypts (see: Houston Rockets Investigate Ransomware Attack).

Now, Emsisoft is checking if, in fact, the Babuk gang has repaired the decryptor.

Even if it has fixed the flaw, the decryptor could still be faulty, resulting in its victims suffering data loss or additional malware infections.

"The simple fact is that it would be a huge mistake to assume that criminals' decryptors will work as they should. At best, they'll perform poorly," Callow says. "At worst, they'll trash the data. If an organization intends to use a tool which was supplied by a ransomware gang, it's critical that the encrypted files be backed up first as a safeguard."

Efforts to Win a Ransom

Philip Reitinger, president and CEO of the Global Cyber Alliance, says he wasn't surprised by Babuk's latest PR move, pointing out that the gang is taking steps in hopes of getting more victims to pay a ransom.

"Ransomware gangs want victims to believe that paying the money means getting your data back and preventing a leak. That's clearly a 'business imperative' for them, and in that regard, I'm not surprised that blog was written or by its content, which is focused on these two issues," he says.

Erin Sindelar, threat researcher at Trend Micro, says ransomware gangs are now more frequently posting messages. "We haven’t seen this specifically from Babuk before, but we expect more of this type of notification to continue as actors seek new, more convincing ways to encourage victims to pay," she says.

Trend Micro first spotted Babuk in December 2020, at which time researchers labeled it Vasa Locker. It was given its current moniker in 2021.

Rockets Attack

The Houston Rockets reported on April 14 that the team was hit with ransomware, although it did not say which variant was involved. The malware did not halt operations, and security staffers were able to contain the ransomware, the team said.

Last week, Babuk posted files and folders to its site that it claimed had been taken from the Rockets. The team has not confirmed that it has lost any data.

Callow noted at the time that if Babuk was behind the attack, recovering the data could be difficult, even if the team manages to obtain a decryptor key. Emsisoft pointed to a bug that would cause Babuk only to rename files on an ESXi server, but not encrypt them.

"Babuk incidents are particularly problematic, as the Linux decryptor the actor supplies is buggy and will actually trash data as it's decrypted, resulting in it being lost," Callow said.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.