{
	"id": "aa5dbf74-6de2-4304-9def-14f87af00261",
	"created_at": "2026-04-06T00:11:06.469264Z",
	"updated_at": "2026-04-10T03:20:40.994272Z",
	"deleted_at": null,
	"sha1_hash": "57fc2480de6bf761b3d9c14566b3ada6cfba68cc",
	"title": "New Babuk Ransomware Found in Major Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1439290,
	"plain_text": "New Babuk Ransomware Found in Major Attack\r\nBy Morphisec Labs\r\nArchived: 2026-04-05 19:39:37 UTC\r\nDuring November, Morphisec identified a brand-new variant of Babuk ransomware while investigating a\r\ncustomer’s prevention event. Babuk was first discovered at the beginning of 2021, when it began targeting\r\nbusinesses to steal and encrypt data in double-extortion attacks. Later in the year, a threat actor leaked the\r\ncomplete source code for Babuk on a Russian-speaking hacking forum. \r\nNow threat actors have combined Babuk’s leaked source code with open-source evasive software and side loading\r\ntechniques to create a variant previously unseen in the wild. During the same month, Trend Micro released details\r\nabout a similar ransomware, mistakenly attributing it to WannaRen and naming the ransomware after the targeted\r\ncompany’s name. This time attackers used a new Babuk strain to target a large manufacturing company with more\r\nthan 10,000 workstations and server devices.  \r\nThe attackers had network access for two weeks of full reconnaissance prior to launching their attack. They have\r\ncompromised the company’s domain controller and used it to distribute ransomware to all devices within the\r\norganization through GPO. At this time, we won’t publish details about the full attack chain due to an ongoing\r\ninvestigation. Instead, we will dive into the ransomware itself.  \r\nhttps://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nPage 1 of 10\n\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nTechnical Analysis \r\nDeployment \r\n Before starting mass infection in the domain, the attacker deploys the following malware files in the domain\r\ncontroller: \r\n\u003cfile\u003e.bat a BAT script responsible for checking the existence of security solutions and starting the\r\nexecution of a Microsoft installer ( .msi ) \r\n\u003cfile\u003e.msi we discuss this installer in more detail below \r\nThe attacker uses the domain controller’s NETLOGON folder—a shared folder holding the Group Policy login\r\nscript files. This ensures the .bat file executes throughout the whole domain. \r\nExecution \r\nThe msi installer contains four files: \r\nSapphireIMSClient.exe under the hood, this executable is NTSD.exe—a Symbolic Debugger tool for\r\nWindows. It’s a legitimate tool that’s vulnerable to DLL side-loading: \r\nhttps://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nPage 2 of 10\n\ndbgeng.dll the main malware component, it impersonates a legitimate DLL used by NTSD.exe and\r\nexploits the DLL side-loading vulnerability. \r\nTwo encrypted files sc.ocs and config.ocs  \r\nThe .bat file will: \r\nSetup a UAC bypass in the registry \r\nCheck for security solutions and block communication to them by adding new firewall rules  \r\nExecute the installer responsible for unpacking files into the C:UsersPublicSapphireIMSClient folder \r\nAfter that, the .bat executes the following command line:\r\nC:UsersPublicSapphireIMSClientSapphireIMSClient.exe C:UsersPublicSapphireIMSClientsc.ocs\r\nC:UsersPublicSapphireIMSClientconfig.ocs\r\nInjecting Open-Source Tools Into Legitimate DLL \r\nAs noted, the NTDS.exe ( SapphireIMSClient.exe ) is a legitimate executable that loads a known core DLL\r\nnamed dbgeng.dll without validating its path. The attacker drops the malicious DLL in the same directory with\r\nthe same name. This leads to the execution of the legitimate Microsoft signed process. Attackers were also\r\npreviously using vulnerable Word Office applications. Our current assumption is that they’re targeting Microsoft\r\nsigned applications as this dramatically reduces machine learning thresholds for suspicious classification. (No\r\nvendor wants to kill Microsoft processes.) \r\nThe malicious code in dbgeng.dll has two responsibilities: \r\n1. Reading the .ocs files into memory \r\nA) sc.ocs an encrypted shellcode—the actual reflective loader of the final payload\r\nB) config.ocs an encrypted binary—the final payload \r\nhttps://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nPage 3 of 10\n\n2. Executing the next stage \r\nThe first task is done in a new thread, as seen in the following snippet: \r\nThe malware reads the .ocs file paths from the command line parameters delivered during the execution of the\r\nMicrosoft application and decrypts the content. \r\nAlthough this logic is widely available online, there’s high similarity between the code in the DLL and the code in\r\nthe open-source project: pe-loader ( https://github.com/polycone/pe-loader/blob/master/loader/src/system/system.cpp ). \r\nAs mentioned, the execution is divided into two routines. The first, denoted by the figure above, is located in the\r\nDLL loading routine, and is responsible for reading the .ocs files and decrypting the sc.ocs file (i.e., the\r\nshellcode). The second routine is the DebugCreate exported function. It starts with a long Sleep , waiting for\r\nthe reading task to end, before moving on. \r\nInside DebugCreate the malware adjusts the protection permissions to RWX , decrypts the payload, and transfers\r\nthe execution to the decrypted shellcode: \r\nhttps://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nPage 4 of 10\n\nReflective Loader Shellcode \r\nThe shellcode acts as a reflective loader. The code was first published by Stephen Fewer\r\n( https://github.com/stephenfewer ) but we noticed modifications. There are dozens of implementations and\r\nmodifications to the original technique but digging deeper revealed a high correlation between the shellcode used\r\nby the attacker and the following GitHub project: malisal/loaders/pe.c\r\n( https://github.com/malisal/loaders/blob/master/pe/pe.c ) \r\nThe attacker edited some functions, such as the Windows API hashing function, but the overall structure and code\r\nflow is the same. It looks like the attacker took “inspiration” from the open-source project. \r\nFinal Payload: Modified Babuk Ransomware \r\nThe final payload was Babuk ransomware compiled from the source code leaked last year:\r\nHildaboo/BabukRansomwareSourceCode ( https://github.com/Hildaboo/BabukRansomwareSourceCode ) \r\nhttps://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nPage 5 of 10\n\nWith the following list of processes to stop: \r\n“sql.exe”               “dbeng50.exe” \r\n“oracle.exe”            “sqbcoreservice.exe” \r\n“ocssd.exe”             “excel.exe” \r\n“dbsnmp.exe”            “infopath.exe” \r\n“synctime.exe”          “msaccess.exe” \r\n“agntsvc.exe”           “mspub.exe” \r\n“isqlplussvc.exe”       “onenote.exe” \r\n“xfssvccon.exe”         “outlook.exe” \r\n“mydesktopservice.exe”  “powerpnt.exe” \r\n“ocautoupds.exe”        “steam.exe” \r\n“encsvc.exe”            “thebat.exe” \r\n“firefox.exe”           “thunderbird.exe” \r\n“tbirdconfig.exe”       “visio.exe” \r\n“mydesktopqos.exe”      “winword.exe” \r\n“ocomm.exe”             “wordpad.exe” \r\n“dbeng50.exe”           “notepad.exe” \r\nSimilarities \r\nhttps://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nPage 6 of 10\n\nCode structure: the overall execution flow and code structure correlates to that presented by Babuk\r\nransomware \r\nSame encryption algorithm: one of the most characterizing functions of any ransomware is the\r\nencryption method. We verified that the payload in our case matches the one in the Babuk source-code \r\nConfiguration: the configuration and usage of the original and variant overlaps \r\nThe below screenshot shows how certain code blocks match between the source-code and the de-compilation. \r\n Note: the compiler does its magic in some cases, which can lead to different code positioning and code\r\nreduction. \r\nModifications \r\nWe noticed the shadow copy deletion routine is different from that present in the source-code. \r\nBabuk Ransomware\r\nThe leaked Babuk source-code shows Shadow Copies deleted by creating new cmd.exe processes will execute\r\nthe vssadmin.exe utility: \r\nhttps://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nPage 7 of 10\n\nModified Babuk Ransomware: The Final Payload Used\r\nThe malware iterates over the available Shadow Copies by using COM objects that execute WMI queries. The\r\ncode snippet below shows how the malware executes a WMI query to get each Shadow Copy’s ID, and then using\r\nCOM, deletes each Shadow Copy by its ID. \r\nIt’s worth noting that malware such as BlackMatter and Conti ransomware have exhibited similar behavior. \r\nWhy Defending Against Babuk Ransomware is So Hard \r\nModern NGAV, EPP, and EDR/XDR have limited visibility into runtime. They’re usually restricted to the use of\r\nhooking and/or event tracing for Windows (ETW). Assuming hooks and ETW aren’t tampered with, they’re just a\r\ndrop in the ocean of an application’s lifetime execution activities. This means if an application was loaded\r\nsuccessfully, most of the time security monitoring solutions will stay blind to the execution of the application until\r\na significant impact is visible on the system. \r\nThe application’s virtualized runtime address space is much larger than a single file. Therefore, applying a\r\ntraditional scanning approach during application execution is a lost battle. Furthermore, such scanning\r\nsignificantly degrades usability and must be minimized as much as possible. \r\nhttps://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nPage 8 of 10\n\nAttackers know these weaknesses of monitoring and scanning solutions and strive to maintain stealth within the\r\nmemory of an application. This applies to this new Babuk variant, which implements side-loading, executes\r\nwithin legitimate applications, and implements reflective loading functionality to hide the rest of the execution\r\nsteps. The attackers implement similar evasion techniques to their initial access and lateral movement steps, which\r\nwe will describe in the next blog. \r\nMoving Target Defense Technology \r\nBecause these threats are highly evasive and exist primarily in device memory, no level of NGAV or best-of-breed\r\nEDR can reliably detect and stop them. Morphisec’s revolutionary, patented Automated Moving Target Defense\r\n(MTD) technology is an industry-leading solution that stops undetectable attacks. It provides an ultra-lightweight,\r\nhighly effective defensive against in-memory attacks.  \r\nMTD morphs the runtime memory environment in an unpredictable manner to hide application and operating\r\nsystem targets from adversaries, providing true ransomware prevention. This leads to a dramatically reduced\r\nattack surface that makes targets impossible to find. MTD presents decoys to fool and trap threats without\r\naffecting usability. It blocks and exposes attackers relying on the invisibility of dynamic execution in-memory.  \r\nBy morphing device memory during runtime, Morphisec’s MTD augments an organization’s existing security\r\nstack to stop and attribute fileless attacks that are otherwise impossible to detect. \r\nResults of the Attack \r\nThe company used a next generation anti-virus (NGAV) solution and Morphisec with anti-ransomware to defend\r\ntheir endpoints. The ransomware evaded the NGAV on the company’s endpoints, but Morphisec’s Moving Target\r\nDefense (MTD) technology stopped the attack, preventing any damage.\r\nMarket-leading EDRs like CrowdStrike and SentinelOne were not able to prevent the new Babuk variant at the\r\ntime of the attack. SentinelOne updated its signatures to detect the encrypted shellcode parameter 72 hours after\r\nthe ransomware was uploaded to an open repository, and CrowdStrike has also now updated its detection.\r\nAs this new variant of Babuk ransomware shows, MTD delivers unparalleled protection against unknown and in-memory attacks. To learn more, watch for Morphisec’s virtual event to hear Morphisec threat research experts\r\nshare exclusive details about the attack, including: \r\nFurther technical analysis of the ransomware, including the differences between the original Babuk\r\nransomware and the new variant  \r\nMore detail on the techniques the ransomware uses to evade NGAV, EPP, and EDR solutions  \r\nRecommendations for adjusting your security posture to protect against the new threat \r\nPlus we take selected questions about the ransomware \r\nWatch now: Threat Alert: New Babuk Ransomware Variant Discovered. \r\nTo protect the privacy of the affected company, Morphisec is not currently releasing the indicators of compromise\r\n(IOCs) publicly. To request the IOCs, please email Morphisec CTO Michael Gorelik. \r\nhttps://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nPage 9 of 10\n\nAbout the author\r\nMorphisec Labs\r\nMorphisec Labs continuously researches threats to improve defenses and share insight with the broader cyber\r\ncommunity. The team engages in ongoing cooperation with leading researchers across the cybersecurity spectrum\r\nand is dedicated to fostering collaboration, data sharing and offering investigative assistance.\r\nSource: https://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nhttps://blog.morphisec.com/babuk-ransomware-variant-major-attack\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.morphisec.com/babuk-ransomware-variant-major-attack"
	],
	"report_names": [
		"babuk-ransomware-variant-major-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434266,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/57fc2480de6bf761b3d9c14566b3ada6cfba68cc.pdf",
		"text": "https://archive.orkl.eu/57fc2480de6bf761b3d9c14566b3ada6cfba68cc.txt",
		"img": "https://archive.orkl.eu/57fc2480de6bf761b3d9c14566b3ada6cfba68cc.jpg"
	}
}