{
	"id": "0056b455-2817-438e-b6b8-507afaabca9c",
	"created_at": "2026-04-06T00:12:30.84111Z",
	"updated_at": "2026-04-10T03:20:44.297189Z",
	"deleted_at": null,
	"sha1_hash": "4eb91f4eed274fb28864880eb1a3ecb8ed7af856",
	"title": "Babuk Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 629333,
	"plain_text": "Babuk Ransomware\r\nBy Chuong Dong\r\nPublished: 2021-01-03 · Archived: 2026-04-05 15:31:29 UTC\r\nReverse Engineering  · 03 Jan 2021\r\nOverview\r\nThis is my report for the new Babuk Ransomware that recently appears at the beginning of 2021.\r\nSince this is the first detection of this malware in the wild, it’s not surprising that Babuk is not obsfuscated at all.\r\nOverall, it’s a pretty standard ransomware that utilizes some of the new techniques we see such as multi-threading\r\nencryption as well as abusing the Windows Restart Manager similar to Conti and REvil.\r\nFor encrypting scheme, Babuk uses its own implementation of SHA256 hashing, ChaCha8 encryption, and\r\nElliptic-curve Diffie–Hellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt\r\nfiles. Like many ransomware that came before, it also has the ability to spread its encryption through enumerating\r\nthe available network resources.\r\nFigure 1: RaidForums Babuk leak\r\nIOCS\r\nBabuk Ransomware comes in the form of a 32-bit .exe file.\r\nMD5: e10713a4a5f635767dcd54d609bed977\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 1 of 13\n\nSHA256: 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9\r\nSample:\r\nhttps://bazaar.abuse.ch/sample/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/\r\nFigure 2: VirusTotal result\r\nRansom Note\r\nFigure 3: Babuk’s ransom note\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 2 of 13\n\nFigure 4: Babuk’s Website\r\n(Pretty unprofessional from the Babuk team since they did not remove the chat log between them and a victim)\r\nCode Analysis\r\nCommand-line Arguments\r\nBabuk can work with or without command line paramters. If no parameter is given, it’s restricted to only\r\nencrypting the local machines.\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 3 of 13\n\nFigure 5: Argument parsing\r\nIf a parameter is given, it will process these arguments upon execution and behave accordingly.\r\nCMD Args Functionality\r\n-lanfirst Same as no parameter given, encrypting locally\r\n-lansecond Encrypting network shares after encrypting locally\r\n-nolan Same as no parameter given, encrypting locally\r\nTerminating Services\r\nBabuk’s authors hard-coded a list of services to be closed before encryption.\r\nBefore terminating a service, Babuk will calls EnumDependentServicesA to retrieve the name and status of each\r\nservice that depends on that specified service.\r\nIt will then call ControlService with the control code SERVICE_CONTROL_STOP to stop them before\r\nterminating the main service the same way.\r\nFigure 6: Terminating serivces\r\nHere is the list of services to be closed.\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 4 of 13\n\nvss, sql, svc$, memtas, mepocs, sophos, veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, DefWatch, ccEvtMgr,\r\nccSetMgr, SavRoam, RTVscan, QBFCService, QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, YooBackup,\r\nYooIT, zhudongfangyu, sophos, stc_raw_agent, VSNAPVSS, VeeamTransportSvc, VeeamDeploymentService, VeeamNFSSvc,\r\nveeam, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser,\r\nBackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService,\r\nAcrSch2Svc, AcronisAgent, CASAD2DWebSvc, CAARCUpdateSvc,\r\nTerminating Running Processes\r\nThe author also hard-coded a list of processes to be closed.\r\nUsing calls to CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW to examine all of the\r\nprocesses running on the system, Babuk can loop through and look for processes needed to be closed. Upon\r\nfinding any, it will call TerminateProcess to terminate it.\r\nFigure 7: Terminating processes\r\nHere is the list of processes to be closed.\r\nsql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe,\r\nxfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe,\r\nmydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe,\r\nmspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe,\r\nvisio.exe, winword.exe, wordpad.exe, notepad.exe\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 5 of 13\n\nDeleting Shadow Copies\r\nBabuk attempts to delete shadow copies before and after encryption.\r\nFirst, it calls Wow64DisableWow64FsRedirection to disables file system redirection before calling\r\nShellExecuteW to execute this command\r\ncmd.exe /c vssadmin.exe delete shadows /all /quiet\r\nAfter deleting the shadow copies, Babuk checks if the system is running under an 64-bit processor. If it is, then\r\nWow64RevertWow64FsRedirection is called to enable file system redirection again.\r\nFigure 8: Deleting Shadow Copies\r\nEncryption\r\nKey Generation\r\nFirst, Babuk uses RtlGenRandom to generate 4 random buffers. Two of which are used as ChaCha8 keys, and the\r\nother two are used as ChaCha8 nonces.\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 6 of 13\n\nFigure 9: Randomly generating ChaCha8 keys and nonce\r\nNext, it will encrypt the second ChaCha8 key using the first key and nonce. After that, the first key is then\r\nencrypted using the encrypted second key and nonce.\r\nThis encrypted first key is treated as the Elliptic-curve Diffie–Hellman (ECDH) private key for the local machine.\r\nFigure 10: Randomly generating ECDH private key\r\nFrom here, Babuk generate a local ECDH public key from the private key using the code from this ECDH library.\r\nThen, it generates a shared secret using the local private key and the author’s hard-coded public key.\r\nThis shared secret goes thorugh a SHA256 hashing algorithm to generate 2 ChaCha8 keys, which are used to\r\nencrypt files later.\r\nIn order to be able to decrypt files, Babuk stores the local public key in the file ecdh_pub_k.bin in the\r\nAPPDATA folder.\r\nBecause of ECDH’s mechanism, the ransomware author can generate the shared secret using his own private key\r\nand the victim’s public key to decrypt files. This makes it impossible for the victim to decrypt on their own unless\r\nthey can capture the randomly-generated private key in the malware before it finishes encryting.\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 7 of 13\n\nFigure 11: Generating ChaCha8 keys from ECDH shared secret\r\nMultithreading\r\nFrom a programmer’s point of view, Babuk’s approach to multithreading is pretty mediocre.\r\nFirst, it determines the number of threads to spawn by doubling the number of cores on the victim’s machine and\r\nallocates an array to store all of the thread handles.\r\nFigure 12: Thread initialization\r\nThe first problem with this approach has to do with thread’s concurrency in an OS. A huge amount of threads can\r\npotentially be created for each process. However, in an ideal situation, it’s better to have one thread running per\r\nprocessor to avoid having threads competing with each other for the processor’s time and resource during\r\nencryption.\r\nHowever, that, by itself, is not that big of a problem if the author implemented a queue-like structure to process\r\nencrypting requests to utilize 100% of the victim processing power. Unfortunately, they decided to only spawn one\r\nencrypting thread per existing drive.\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 8 of 13\n\nFigure 13: Launching encrypting threads\r\nIn the case where the number of drives is less than the number of processors (which is highly likely), Babuk won’t\r\nspawn as many threads as possible to encrypt.\r\nSince each thread is responsible for an entire drive, this forces it to use the traditional recursive approach to\r\ntraverse through its own folders, which results in a longer encryption time due to the huge workload.\r\nThe workload for each thread varies based on the size of the drive it’s encrypting, so the average encrypting time\r\nwill just be approximately near the time it takes for one thread to encrypt the largest drive. This is inefficient and\r\nreally defeats the purpose of using multithreading to encrypt drives.\r\nFolder Traversing\r\nAs discussed above, Babuk uses a recursion method to traverse and encrypt files. Using FindFirstFileW and\r\nFindNextFileW calls, it goes through each directory to look for files and sub-directories.\r\nWhen encountering a directory, it recursively calls the main_encrypt function again. However, Babuk only goes\r\ndown 16 directory layers deep, so it potentially does not encrypt every single folders in the drive to save time.\r\nWhen encountering a file, it will check if the file name is How To Restore Your Files.txt or if the file extension is\r\n.__NIST_K571__ to avoid encrypting the ransom note or encrypted files.\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 9 of 13\n\nFigure 14: Traversing through folders\r\nKill File Owner\r\nSimilar to Conti or REvil ransomware, Babuk utilizes the Windows Restart Manager to terminate any process that\r\nis using files. This ensures that nothing prevents it from opening and encrypting the files.\r\nThis is accomplished through the calls RmStartSession, RmRegisterResources, and RmGetList to get a list of\r\nprocesses that are using the a specified file. If the process is not explorer.exe or a critical process, then Babuk will\r\ncall TerminateProcess to kill it.\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 10 of 13\n\nFigure 15: Killing processes that are using files\r\nFile Encryption\r\nBabuk’s file encryption is divided into 2 different types - small file encryption and large file encryption.\r\nFor small files that are les than 41943040 bytes or roughly 41 MB in size, the file is mapped entirely and\r\nencrypted with ChaCha8 two times.\r\nFigure 16: Small file encryption\r\nWith large files, encryption is a bit different. To save time, the entire file is divided into three equally-large\r\nregions.\r\nFor each of these regions, only the first 10485760 bytes or 10 MB will be encrypted.\r\nFigure 17: Large file encryption\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 11 of 13\n\nFor encryption, Babuk uses the two ChaCha8 keys generated from the ECDH shared secret’s SHA256 hash as the\r\nencrypting keys and the first 12 bytes of the shared secret as nonce.\r\nRemote File Encryption\r\nTo encrypt the remote drives from the victim machine, Babuk calls WNetGetConnectionW to retrieves the name\r\nof the network resources associated with those drives and pass them to the encrypting thread.\r\nFigure 18: Encrypting remote drives\r\nIt also encrypts network shares on the machine’s LAN given the correct parameter.\r\nBabuk calls WNetOpenEnumW and WNetOpenEnumW to traverse through remote folders on the network and\r\nencrypts file using the similar recursive method mentioned above.\r\nFigure 19: LAN Encryption\r\nKey Findings\r\nBabuk is a new ransomware that started at the beginning of this year. Despite the amateur coding practices used,\r\nits strong encryption scheme that utilizes Elliptic-curve Diffie–Hellman algorithm has proven effective in\r\nattacking a lot of companies so far.\r\nBecause the malware authors are using one private key for each Babuk sample, it’s clear that their main target is\r\nlarge corporations instead of normal computer users. So far, according to the website embedded in the ransom\r\nnote as well as the leaks on Raidforums, they have sucessfully compromised 5 different companies in the world.\r\nMessage to newer victims\r\nI recently notice I’m getting a lot more traffic from Europe on this page, which I’m assuming newer victims are\r\nviewing this to better their understanding of the ransomware.\r\nThis blog post is really out of date because Babuk has evolved a lot, and the malware is drastically different from\r\nwhat I talk about here.\r\nIf recent Babuk victims are interested in getting more information about the newer version of this ransomware or\r\nrequire any assistance with analyzing any sample, feel free to reach out to me through my email cdong49@gatech\r\nor Twitter!\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 12 of 13\n\nYARA Rule\r\nrule BabukRansomware {\r\nmeta:\r\n description = \"YARA rule for Babuk Ransomware\"\r\nreference = \"http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\"\r\nauthor = \"@cPeterr\"\r\ndate = \"2021-01-03\"\r\nrule_version = \"v1\"\r\nmalware_type = \"ransomware\"\r\ntlp = \"white\"\r\nstrings:\r\n$lanstr1 = \"-lanfirst\"\r\n$lanstr2 = \"-lansecond\"\r\n$lanstr3 = \"-nolan\"\r\n$str1 = \"BABUK LOCKER\"\r\n$str2 = \".__NIST_K571__\" wide\r\n$str3 = \"How To Restore Your Files.txt\" wide\r\n$str4 = \"ecdh_pub_k.bin\" wide\r\ncondition:\r\nall of ($str*) and all of ($lanstr*)\r\n}\r\nReferences\r\nhttps://twitter.com/Arkbird_SOLG/status/1345569395725242373\r\nSource: http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nhttp://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/"
	],
	"report_names": [
		"BabukRansomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434350,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4eb91f4eed274fb28864880eb1a3ecb8ed7af856.pdf",
		"text": "https://archive.orkl.eu/4eb91f4eed274fb28864880eb1a3ecb8ed7af856.txt",
		"img": "https://archive.orkl.eu/4eb91f4eed274fb28864880eb1a3ecb8ed7af856.jpg"
	}
}