On May 11, 2021, the Babuk ransomware group posted on a dark web site that they had compromised the DC Metropolitan Police Department, and that their ransom demands were not being met. Later that day, the group began leaking data they acquired during the breach, which they indicated happened last month or earlier. The group also posted alleged Slack conversations between them and the DC Metro Police, where they tried to negotiate a $4 million dollar ransom payment that the victims were unable to pay.
While very little has been revealed regarding the malware’s delivery mechanism, phishing is a common attack vector for similar ransomware campaigns. If so, then the ransomware may have been delivered via email, messaging applications, or social media. Since Safeguard Cyber protects its customers on messaging applications and social media, we took interest around ensuring this malware would not be able to get past our detections on these services.
In order to test this, SafeGuard Cyber acquired a sample of a Babuk ransomware variant and sent it to a Telegram account we're protecting. Our solution picked up the file, sent it to our malware sandbox for analysis, and returned with a positive detection for a malicious file.
SafeGuard Cyber platform detects Babuk ransomware in Telegram message
Aside from standard antivirus detection results, the malware triggered the following indicator rules:
- Attempts to repeatedly call a single API many times in order to delay analysis time
- Creates an Alternate Data Stream (ADS)
- Attempts to delete volume shadow copies
- This sample modifies many files through suspicious ways, likely a polymorphic virus or a ransomware
- Exhibits possible ransomware file modification behavior
- Removes the shadow copy to avoid recovery of the system
- Creates known Hupigon files, registry keys and/or mutexes
- A process created a hidden window
Since the malware is easily detectable by a sandbox due to its behavior, it would be hard for Babuk to spread through file attachments in email phishing schemes (since most email systems have sandboxes built in or deployed by enterprises on top of them). If this group is attempting to spread their payload through phishing attacks, they would likely have more success in targeting communication methods that traditionally don’t have sandbox solutions, such as messaging apps and social media direct messages.