# Babuk Ransomware: The Builder **[marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/](https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/)** View all posts by marcoramilli July 5, 2021 On April 2021, one of the most known Ransomware Gang called Babuk, decided to change the way they ask for ransom: no more double extortion, no more file encryption but just data exfiltration and a later announcement in case of no deal with the victim. It’s a nice move forward for a Ransomware Gang that, as far as I know, followed the Maze Group double extortion [paradigm since 2019. This is what reported on BleepingComputer (HERE) on April.](https://www.bleepingcomputer.com/news/security/babuk-quits-ransomware-encryption-focuses-on-data-theft-extortion/) “Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement” – Babuk ransomware _Babuk Ransomware Gang_ At the end of April, Babuk gang decided to definitely close their malicious operations making their Babuk Ransomware opensource, but so far no code was shared to the community. Many Babuk ransomware where disclosed and analyzed during the following weeks, but when I saw this (reference follows) sample called “builder” with static signatures that reminded me the Babuk Ransomware, I decided to take a closer look checking if it definitely was the Babuk builder. One-Time Monthly **Make a one-time donation** **Make a monthly donation** Choose an amount $1.00 $5.00 $10.00 $5.00 $15.00 $100.00 ----- If you think this content is helpful, please consider to make a little donation. It would help me in building and writing additional contributions to community. By donation you will contribute to community as well. Thank you ! If you think this content is helpful, please consider to make a little donation. It would help me in building and writing additional contributions to community. By donation you will contribute to community as well. Thank you ! [DonateDonate monthly](https://subscribe.wordpress.com/memberships/?blog=155480246&plan=10519&lang=en_US&pid=10095&redirect=https%3A%2F%2Fmarcoramilli.com%2F2021%2F07%2F05%2Fbabuk-ransomware-the-builder) **Builder Analysis** So, let’s take a closer look to this sample called `builder matching signature from Babuk` Ransomware. Sha256: ``` 4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af, from the time ``` of the analysis, the sample is recognized as malicious from 8 (over 68) AV vendors. I believe it is a nice starting point to investigate our building chain ;). BabukRansomwareBuilder on VT Given Name builder.bin SHA256 4fa565cc2ebfe97b996786facdb454e4328a28792e27e80e8b46fe24b44781af Technology Microsoft C/C++ Behavior Ransomware Builder The sample appears to be not packed. It means that on building chain the attacker need to use an external packer. It might underline a non sophisticated developer chain, in other words, the developer may have no expertise building packers or he/she decided to use external obfuscators/packers during the delivery phase of the derivated artifacts. The `builder is a CLI` utility asking for a folder. Once you give a folder name it firstly check if the folder exists, and if it doesn’t, the sample creates it. It later builds up the pair keys by using elliptic curve algorithm with a randomly generated 256 key size. ----- Private and Public Elliptic Curve Keys Random Key Generation For Elliptic Curve 32×8 (256) Key After the key generation phase the builder saves such a keys inside the given folder in two separated files : `kp.curve25519 and` `ks.curve25519 which are public and secret` parameters for the Montgomery curve. The builder then checks for components in the current folder in order to build the output samples. The needed components are: ``` note.txt : a simple text file wrapping ransom note. e_esxi.out, e_nas_x86.out, e_nas_arm.out, e_win.bin : specific encryption ``` payloads for different targets (ESXI, NAS and Windows Machines) ----- ``` d_esxi.out, d_nas_x86.out, d_nas_arm.out, d_win.bin : specific decryption ``` payloads for different targets (ESXI, NAS and Windows Machines) The following image shows the main builder function in where it looks for external files (representing payloads) and saves them on local hard drive ready to be implemented into the victims system. ----- Babuk main building function ----- The ransomware generation is a simple process. It firstly takes the external payload and it later starts a `lstrcp (which is dynamically loaded) to copy the exernal payload to files,` implementing the final ransomware. The following image shows the main saving function. Main Saving Function The following images show the variables wrapping out the file name (on the left) and the result of the “stringCopy” function (on the right) before saving them to the hard drive. Once the building function terminates its run the user (actually the attacker) finds the given folder full of ransomware ready to be deployed to victims. The following image shows the built ransomware which happens to be ready to be spread on `Windows system,` `Linux systems` on `ESX and specific` `NAS within ARM core.` ----- Final Built Folder **Conclusion** Babuk Builder looks like to be a quite simple piece of code. But even if it’s a simple code it holds some interesting characteristics which could be helpful to compare to future builders. For example the loading sections and the way the builder uses the `lstrcp function to copy the` loaded payloads. The main building loop and the used algorithm to generate key-pairs. **Name** **Sha256** d_esxi.out a7a832dd999f4d147087231731ac040be03a26859cfc03f948b092b5a8c259d6 d_nas_arm.out fa2b76dde88f2306b280586b5cf40671f4f08b83e9e095f7d52608e6ed1dd7bf d_nas_x86.out 45b26897e7d81f2e1905cbb3d227a94bc7991f14a4a24f4aa4752083602be41e d_win.exe 0221b06e7aa462206039db6366bee9b31838d736dff9145ee54811e2abee7128 e_esxi.out 1afd6bbf62fa0906da0fc4ebd55bf7339aeb3d8beb539df9be4d016efabf3a12 e_nas_arm.out 1a3b213f0303ff5f676df39217abae197f8af689de4c884cd0acc96aedb1a328 e_nas_x86.out af2727be8ff8eb40b4e6eb0ba3c3d0594e4e902e698875a0ef4e3a4ef06f2a86 e_win.exe 3d554fe3ed824df5bb625bcff4ddde834866164088358ddabc4e5aec8a6562b0 Babuk Builder IoC -----