{
	"id": "dac231ff-f661-4526-931d-c12563a99ea9",
	"created_at": "2026-04-06T00:17:18.060649Z",
	"updated_at": "2026-04-10T03:22:49.878482Z",
	"deleted_at": null,
	"sha1_hash": "ac39748c86f52f0b4a8b58ce347116ed9e14dfc4",
	"title": "Malware analysis report: Babuk ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3276525,
	"plain_text": "Malware analysis report: Babuk ransomware\r\nBy MSSP Research Lab\r\nPublished: 2023-06-15 · Archived: 2026-04-05 19:55:39 UTC\r\n15 minute read\r\nBabuk is a ransomware family that was first discovered in early 2021. It quickly became infamous, especially among\r\ncorporate networks, for its ability to quickly encrypt files and demand ransom. However, the decisive moment in its\r\ndevelopment was the leak of the source code, which subsequently contributed to the spread of new ransomware\r\nvariants.\r\nThreat actorPermalink\r\nBabuk, also known as Team Babuk, is a criminal group that developed and distributed the Babuk ransomware. The\r\ngroup was first discovered in early 2021 and since then they have been seen in several major cyberattacks, especially\r\nagainst corporate networks.\r\nUnlike many other cybercriminal groups, Babuk was so fearless that they even threatened to release the stolen data if\r\nthey did not receive a ransom. In fact, they even set up their own website, “Babuk Locker’s Leak Site”, where they\r\nposted details of victims who refused to pay.\r\nLike many similar groups, Babuk operates on a Ransomware-as-a-Service (RaaS) model, where they offer their\r\nservices to other cybercriminals for a share of the ransom.\r\nDistributed amd InfiltrationPermalink\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 1 of 21\n\nBabuk is typically distributed through phishing campaigns that use infected attachments or links. Infiltration: After\r\neffectively infiltrating the system, Babuk begins encrypting files using its own encryption algorithm based on the\r\nSalsa20 and RSA ciphers.\r\nPost-Infection BehaviorPermalink\r\nBabuk changes the extension of encrypted files to include its own unique extension and leaves a ransom message to\r\nrestore the files. Babuk also removes spear shadows and backups to increase pressure on the victim.\r\nIdentificationPermalink\r\nSample is being investigated:\r\nsample.exe:\r\nFile size: 31232 bytes\r\nMD5 sum: e10713a4a5f635767dcd54d609bed977\r\nSHA-1 sum: 320d799beef673a98481757b2ff7e3463ce67916\r\nSHA-256 sum: 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9\r\nFirst of all, check our sample via VirusTotal:\r\nhttps://www.virustotal.com/gui/file/8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9/detection\r\nAs we can see, 63 of 70 AV engines detect our sample as malicious.\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 2 of 21\n\nThis sample is written in C++. protects its keys and encrypts files using its own implementation of SHA256 hashing,\r\nChaCha8 encryption, and Elliptic-curve Diffie–Hellman ( ECDH ) key generation and exchange algorithm. Similar to\r\nother ransomware, it can propagate its encryption by enumerating available network resources.\r\nStatic analysisPermalink\r\nThe specified sample is a 32-bit PE file:\r\nUse exiftool for looking metadata:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 3 of 21\n\nFile timestamp is 2020:12:30 14:03:14+03:00\r\nShannon entropy of the sections in the sample:\r\nCompiled via Visual Studio 2019 16.7[GUI32] :\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 4 of 21\n\nand not packed:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 5 of 21\n\nRansom note from Babuk:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 6 of 21\n\nDynamic analysisPermalink\r\nBabuk is capable of operating with or without command line parameters. If no parameter is specified, encryption is\r\nlimited to local devices only:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 7 of 21\n\n-nolan - Not encrypting LAN\r\n-lansecond - Encrypting LAN after files (first encrypting files and then LAN)\r\n-lanfirst - Encrypting LAN first and then files\r\nTerminating processes - Using CreateToolhelp32Snapshot , Process32FirstW , and Process32NextW to\r\ninvestigate all of the running processes on the system, Babuk can iterate and search for processes that need to be\r\nclosed. It will execute TerminateProcess to terminate any found processes.\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 8 of 21\n\nHere is the list of processes to be closed:\r\nsql.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe, isqlplussvc.exe,\r\nxfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, encsvc.exe, firefox.exe, tbirdconfig.exe,\r\nmydesktopqos.exe, ocomm.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe,\r\nmspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thunderbird.exe,\r\nvisio.exe, winword.exe, wordpad.exe, notepad.exe\r\nShadow copies - Babuk attempts to remove shadow duplicates prior to and following encryption:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 9 of 21\n\nBefore invoking ShellExecuteW to execute the following command:\r\ncmd.exe /c vssadmin.exe delete shadows /all /quiet\r\nWow64DisableWow64FsRedirection is called to disable file system redirection.\r\nAfter removing the shadow copies, Babuk verifies whether the system is powered by a 64-bit processor. If so,\r\nWow64RevertWow64FsRedirection is invoked to re-enable file system redirection.\r\nTerminating services - The authors of Babuk hard-coded a list of services that must be terminated prior to\r\nencryption.\r\nBabuk will call EnumDependentServicesA prior to terminating a service to retrieve the name and status of each\r\ndependent service.\r\nIt will then invoke ControlService with the control code SERVICE_CONTROL_STOP to halt them prior to terminating\r\nthe primary service in the same manner:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 10 of 21\n\nList of services:\r\nvss, sql, svc$, memtas, mepocs, sophos, veeam, backup, GxVss, GxBlr, GxFWD, GxCVD, GxCIMgr, DefWatch, ccEvtMgr,\r\nccSetMgr, SavRoam, RTVscan, QBFCService, QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, YooBackup,\r\nYooIT, zhudongfangyu, sophos, stc_raw_agent, VSNAPVSS, VeeamTransportSvc, VeeamDeploymentService, VeeamNFSSvc,\r\nveeam, PDVFSService, BackupExecVSSProvider, BackupExecAgentAccelerator, BackupExecAgentBrowser,\r\nBackupExecDiveciMediaService, BackupExecJobEngine, BackupExecManagementService, BackupExecRPCService,\r\nAcrSch2Svc, AcronisAgent, CASAD2DWebSvc, CAARCUpdateSvc\r\nEncryption logic - the most interesting part of our research. First, Babuk generates four random buffers using\r\nRtlGenRandom :\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 11 of 21\n\nRtlGenRandom - This function is available as a resource named SystemFunction036 in Advapi32.dll.\r\nTwo are utilized as ChaCha8 keys, while the remaining two are utilized as ChaCha8 nonces.\r\nNext, the second ChaCha8 key will be encrypted using the first key and nonce. The first key is then encrypted using\r\nthe second key and nonce that have been encrypted.\r\nThe elliptic-curve Diffie–Hellman (ECDH) private key for the local machine is considered to be this encrypted first\r\nkey. Using the code contained in this ECDH library, Babuk will now build a local ECDH public key based on the\r\nprivate key that was provided.\r\nAfter that, it will produce a shared secret by utilizing the local private key and the author’s public key that has been\r\nhard-coded.\r\nThis commonly known fact is hashed with the SHA256 technique to produce two ChaCha8 keys. These keys are\r\nsubsequently utilized in the process of encrypting files.\r\nIn this report, we would like to dwell in more detail on the cryptographic logic of our ransomware family. So, in order\r\nto understand the work of the ransomware a little deeper, we will give a small theoretical definition.\r\nECCPermalink\r\nBabuk Ransomware is a sophisticated ransomware compiled for several platforms, uses an Elliptic Curve Algorithm\r\n(Montgomery Algorithm) to build the encryption keys.\r\nElliptic curve cryptography (ECC) is an approach to public key cryptography based on the algebraic structure of\r\nelliptic curves over finite fields. ECC requires smaller keys compared to non-elliptic curve cryptography (based on\r\nplain Galois fields) to provide equivalent security.\r\nThe Montgomery algorithm is an efficient method for performing the point multiplication operation that is at the heart\r\nof most elliptic curve cryptographic algorithms.\r\nInitialization: - Two parties agree on a global elliptic curve and a base point on the curve. This base point is chosen\r\nsuch that when it is repeatedly added to itself, the resultant points “wrap around” the curve instead of marching off to\r\ninfinity.\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 12 of 21\n\nKey Generation: - Each party generates a private key, which is a random integer, and a public key, which is the base\r\npoint added to itself private key number of times. Because the operation is computationally difficult (one-way), the\r\nprivate key cannot be feasibly calculated from the public key.\r\nEncryption: - To encrypt a message, a party must first translate the message into a point on the curve. They then\r\ngenerate a random integer, and produce two points: the base point added to itself random integer number of times, and\r\nthe message point added to the other party’s public key random integer number of times.\r\nDecryption: - The receiving party multiplies the first point by their own private key, which results in a new point.\r\nThey then subtract the new point from the second point to retrieve the original message point.\r\nElliptic curves over real numbers and the group law - Elliptic curves over real numbers are curves defined by the\r\nequation y^2 = x^3 + ax + b . In this equation, a and b are constants that determine the specific shape of the\r\ncurve. The curves have a property we call the “group law” that allows us to “add” points on the curve together to get a\r\nthird point on the curve. This addition usually doesn’t match our normal idea of addition, but it has some similar\r\nproperties, like being commutative and associative.\r\nElliptic curves over finite fields and the discrete logarithm problem - When we talk about elliptic curves in\r\ncryptography, we usually mean elliptic curves over finite fields. A finite field is a set with a finite number of elements\r\nand two operations that have properties of addition and multiplication. For example, the field of two elements {0,\r\n1} with the usual operations of addition and multiplication modulo 2 is a finite field. The discrete logarithm\r\nproblem on elliptic curves over finite fields forms the basis for the security of elliptic curve cryptography.\r\nKey pair generation and two ECC algorithms: ECDH and ECDSA - Key pair generation in ECC starts with\r\nchoosing an elliptic curve and a point on that curve. Then a random number is generated, which serves as the private\r\nkey. To get the corresponding public key, the private key is “multiplied” (using the group law we talked about) with\r\nthe chosen point on the curve. The result is another point on the curve, which is the public key.\r\nECDH (Elliptic Curve Diffie-Hellman) and ECDSA (Elliptic Curve Digital Signature Algorithm) are two common\r\ncryptographic algorithms that use ECC. ECDH is a key exchange protocol, and ECDSA is a digital signature protocol.\r\nThey are similar to the original Diffie-Hellman and DSA protocols, but they use operations on elliptic curves instead\r\nof operations in the multiplicative group of integers modulo p.\r\nImplementing elliptic curve cryptography from scratch is a complex task and beyond the scope of this report due to\r\nthe amount of code involved and the level of mathematical detail required. However, we can guide you on how to use\r\nexisting libraries to perform operations related to elliptic curves.\r\nOpenSSL is a widely-used and comprehensive library that includes support for elliptic curve cryptography. Here is an\r\nexample on how you can generate a pair of keys, perform ECDH key exchange, and create a signature using ECDSA.\r\n#include \u003copenssl/evp.h\u003e\r\n#include \u003copenssl/ec.h\u003e\r\n#include \u003copenssl/ecdh.h\u003e\r\n#include \u003copenssl/ecdsa.h\u003e\r\n#include \u003copenssl/rand.h\u003e\r\nint main() {\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 13 of 21\n\nEVP_PKEY *pkey1, *pkey2;\r\n EVP_PKEY_CTX *ctx;\r\n unsigned char *secret1, *secret2;\r\n size_t secret_len1, secret_len2;\r\n /* Generate two keys for ECDH key exchange. */\r\n ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);\r\n EVP_PKEY_keygen_init(ctx);\r\n EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, NID_X9_62_prime256v1);\r\n EVP_PKEY_keygen(ctx, \u0026pkey1);\r\n EVP_PKEY_keygen(ctx, \u0026pkey2);\r\n EVP_PKEY_CTX_free(ctx);\r\n /* Derive the shared secret. */\r\n ctx = EVP_PKEY_CTX_new(pkey1, NULL);\r\n EVP_PKEY_derive_init(ctx);\r\n EVP_PKEY_derive_set_peer(ctx, pkey2);\r\n EVP_PKEY_derive(ctx, NULL, \u0026secret_len1);\r\n secret1 = malloc(secret_len1);\r\n EVP_PKEY_derive(ctx, secret1, \u0026secret_len1);\r\n EVP_PKEY_CTX_free(ctx);\r\n /* Swap the keys and derive the shared secret again. */\r\n ctx = EVP_PKEY_CTX_new(pkey2, NULL);\r\n EVP_PKEY_derive_init(ctx);\r\n EVP_PKEY_derive_set_peer(ctx, pkey1);\r\n EVP_PKEY_derive(ctx, NULL, \u0026secret_len2);\r\n secret2 = malloc(secret_len2);\r\n EVP_PKEY_derive(ctx, secret2, \u0026secret_len2);\r\n EVP_PKEY_CTX_free(ctx);\r\n /* Now we have two shared secrets that should be equal. */\r\n assert(secret_len1 == secret_len2);\r\n assert(memcmp(secret1, secret2, secret_len1) == 0);\r\n /* Create a signature using ECDSA. */\r\n EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey1);\r\n unsigned char digest[32], *signature;\r\n unsigned int sig_len;\r\n RAND_bytes(digest, sizeof(digest)); /* Get a random \"message\". */\r\n signature = malloc(ECDSA_size(eckey));\r\n ECDSA_sign(0, digest, sizeof(digest), signature, \u0026sig_len, eckey);\r\n /* Verify the signature. */\r\n assert(ECDSA_verify(0, digest, sizeof(digest), signature, sig_len, eckey) == 1);\r\n /* Clean up. */\r\n free(secret1);\r\n free(secret2);\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 14 of 21\n\nfree(signature);\r\n EVP_PKEY_free(pkey1);\r\n EVP_PKEY_free(pkey2);\r\n EC_KEY_free(eckey);\r\n return 0;\r\n}\r\nThe example above generates two keys for ECDH, derives the shared secret from both keys (which should be equal),\r\ncreates a random message and a signature for it, and verifies the signature, and would be compiled with:\r\ngcc crypto_hack.c -lssl -lcrypto -o ./crypto\r\nMontgomery Ladder for ECCPermalink\r\nThe Montgomery Ladder technique, named after its creator Peter Montgomery, is an algorithm used to perform the\r\nscalar multiplication operation in ECC. The main advantage of the Montgomery ladder is its resistance to simple\r\npower analysis and timing attacks, due to its regular, identical sequence of operations for each bit in the key.\r\nHere’s a step-by-step process:\r\nInitialize two points R0 and R1 on the curve such that R0 = 0 and R1 = P , where P is the point being\r\nmultiplied.\r\nFor each bit in the key, starting with the most significant and moving to the least significant: If the bit is 1 ,\r\nperform the operation: R0 = R0 + R1, R1 = 2 * R1 . If the bit is 0 , perform the operation: R1 = R0 + R1,\r\nR0 = 2 * R0\r\nAt the end of this process, R0 will contain kP .\r\nWe can provide a basic example of an implementation of ECC point addition and doubling. This code doesn’t\r\nimplement Montgomery multiplication, but will give you an idea of how ECC works. This is a simplified version and\r\nfor actual cryptographic applications, a more robust and secure version is needed:\r\n#include \u003ciostream\u003e\r\nclass Point {\r\npublic:\r\n int x, y;\r\n Point() : x(0), y(0) {}\r\n Point(int x, int y) : x(x), y(y) {}\r\n};\r\nclass EllipticCurve {\r\npublic:\r\n int a, b;\r\n EllipticCurve(int a, int b) : a(a), b(b) {}\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 15 of 21\n\nPoint add(const Point\u0026 p1, const Point\u0026 p2, int mod) const {\r\n int s = ((p2.y - p1.y) * inverse(p2.x - p1.x, mod)) % mod;\r\n int xr = (s * s - p1.x - p2.x) % mod;\r\n int yr = (s * (p1.x - xr) - p1.y) % mod;\r\n return Point(xr, yr);\r\n }\r\n Point doublePoint(const Point\u0026 p, int mod) const {\r\n int s = ((3 * p.x * p.x + a) * inverse(2 * p.y, mod)) % mod;\r\n int xr = (s * s - 2 * p.x) % mod;\r\n int yr = (s * (p.x - xr) - p.y) % mod;\r\n return Point(xr, yr);\r\n }\r\nprivate:\r\n int inverse(int a, int mod) const {\r\n int m0 = mod, t, q;\r\n int x0 = 0, x1 = 1;\r\n if (mod == 1)\r\n return 0;\r\n while (a \u003e 1) {\r\n q = a / mod;\r\n t = mod;\r\n mod = a % mod;\r\n a = t;\r\n t = x0;\r\n x0 = x1 - q * x0;\r\n x1 = t;\r\n }\r\n if (x1 \u003c 0)\r\n x1 += m0;\r\n return x1;\r\n }\r\n};\r\nint main() {\r\n EllipticCurve curve(2, 3);\r\n Point p1(3, 7), p2(4, 5);\r\n int mod = 11;\r\n Point sum = curve.add(p1, p2, mod);\r\n std::cout \u003c\u003c \"Point Addition: (\" \u003c\u003c sum.x \u003c\u003c \", \" \u003c\u003c sum.y \u003c\u003c \")\" \u003c\u003c std::endl;\r\n Point doub = curve.doublePoint(p1, mod);\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 16 of 21\n\nstd::cout \u003c\u003c \"Point Doubling: (\" \u003c\u003c doub.x \u003c\u003c \", \" \u003c\u003c doub.y \u003c\u003c \")\" \u003c\u003c std::endl;\r\n return 0;\r\n}\r\nAlso we can provide a simple C++ code example of a Montgomery Multiplication. Montgomery multiplication is a\r\nmethod for multiplying two integers modulo a positive integer:\r\n#include \u003ciostream\u003e\r\n#include \u003ccmath\u003e\r\nunsigned long long montgomery_mul(unsigned long long x,\r\n unsigned long long y,\r\n unsigned long long m,\r\n unsigned long long inv,\r\n unsigned long long r) {\r\n unsigned long long t = x*y;\r\n unsigned long long u = (t * inv) % r;\r\n unsigned long long prod = t + u * m;\r\n prod = prod / r;\r\n if(prod \u003e= m) prod -= m;\r\n return prod;\r\n}\r\nunsigned long long montgomery_pow(unsigned long long a, unsigned long long b, unsigned long long m) {\r\n unsigned long long r = 1ULL \u003c\u003c (unsigned long long)log2(m);\r\n unsigned long long inv = r - m;\r\n unsigned long long aR = (a * r) % m;\r\n unsigned long long xR = r % m;\r\n \r\n for(; b \u003e 0; b \u003e\u003e= 1) {\r\n if(b \u0026 1)\r\n xR = montgomery_mul(xR, aR, m, inv, r);\r\n aR = montgomery_mul(aR, aR, m, inv, r);\r\n }\r\n \r\n return montgomery_mul(xR, 1, m, inv, r);\r\n}\r\nint main() {\r\n std::cout \u003c\u003c montgomery_pow(5, 3, 13) \u003c\u003c \"\\n\"; // outputs: 8\r\n return 0;\r\n}\r\nPath traversing logic - In order to explore and encrypt files, Babuk employs a process known as recursion, as was\r\njust mentioned. It navigates through each directory by using the FindFirstFileW and FindNextFileW methods in\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 17 of 21\n\norder to search for files and subdirectories.\r\nWhen it comes across a directory, it calls the main_encrypt method multiple times in a recursive manner. However,\r\nbecause Babuk only goes down 16 directory layers deep, there is a possibility that it might not encrypt each and\r\nevery folder on the drive in order to save time.\r\nWhen it comes across a file, it will perform a check to see if the file name is How To Restore Your data.txt or if\r\nthe file extension is __NIST_K571__ . This is done to prevent it from encrypting the ransom note or the data that have\r\nalready been encrypted.\r\nBabuk decryptionPermalink\r\nIn order for Babuk to be able to decrypt files, the local public key is saved in the file ecdh_pub_k.bin , which is\r\nlocated in the APPDATA folder, something like this re-implementation:\r\nGetEnvironmentVariableW(L\"APPDATA\", pubkeypath, MAX_PATH);\r\nlstrcatW(pubkeypath, L\"\\\\ecdh_pub_k.bin\");\r\nKilling processes that are using files\r\nIn a manner that is analogous to that of the ransomware known as Conti or REvil, Babuk employs the Windows\r\nRestart Manager to end any process that is consuming files. This makes sure that there is nothing that can stop it from\r\nopening the files and encrypting them:\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 18 of 21\n\nRmStartSession , RmRegisterResources , and RmGetList are the calls that must be made in order to fulfill this goal\r\nof retrieving a list of processes that are utilizing a particular file. Babuk will attempt to terminate the process by using\r\nTerminateProcess if the process in question is not explorer.exe or a critical process.\r\nUtilsPermalink\r\nAlso re-implementing some utilities for tricks used in Babuk ransomware.\r\nChecks if the process is running on a 64 bit machine:\r\nBOOL myIsWow64Process()\r\n{\r\n BOOL bIsWow = 0;\r\n \r\n HMODULE hModule = GetModuleHandleA(\"kernel32.dll\");\r\n pdef_IsWow64Process IsWow64Process_ = (pdef_IsWow64Process)GetProcAddress(hModule, \"IsWow64Process\");\r\n if(IsWow64Process_ != NULL)\r\n {\r\n if(!IsWow64Process_(GetCurrentProcess(), \u0026bIsWow))\r\n {\r\n bIsWow = FALSE;\r\n }\r\n }\r\n return bIsWow;\r\n}\r\nHeapAlloc and HeapFree wrappers:\r\nLPVOID myHeapAlloc(int len) {\r\n EnterCriticalSection(\u0026critSection);\r\n LPVOID lpMem = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, len + 64);\r\n LeaveCriticalSection(\u0026critSection);\r\n return lpMem;\r\n}\r\nVOID myHeapFree(LPVOID mem) {\r\n EnterCriticalSection(\u0026critSection);\r\n HeapFree(GetProcessHeap(), 0, mem);\r\n LeaveCriticalSection(\u0026critSection);\r\n}\r\nIOCsPermalink\r\nMD5 sum: e10713a4a5f635767dcd54d609bed977\r\nSHA-1 sum: 320d799beef673a98481757b2ff7e3463ce67916\r\nSHA-256 sum: 8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 19 of 21\n\nIPs and domains:\r\n20.99.184.37\r\n239.255.255.250\r\nbabukq4e2p4wu4iq.onion\r\nYara rulePermalink\r\nrule BabukRansom {\r\n meta:\r\n description = \"YARA rule for Babuk Ransomware\"\r\n reference = \"https://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\"\r\n author = \"@cPeterr\"\r\n date = \"2021-01-03\"\r\n rule_version = \"v1\"\r\n malware_type = \"ransomware\"\r\n tlp = \"white\"\r\n strings:\r\n $lanstr1 = \"-lanfirst\"\r\n $lanstr2 = \"-lansecond\"\r\n $lanstr3 = \"-nolan\"\r\n $str1 = \"BABUK LOCKER\"\r\n $str2 = \".__NIST_K571__\" wide\r\n $str3 = \"How To Restore Your Files.txt\" wide\r\n $str4 = \"ecdh_pub_k.bin\" wide\r\n condition:\r\n all of ($str*) and all of ($lanstr*)\r\n}\r\nConclusionPermalink\r\nBabuk announced their “retirement” at the end of April 2021. However, this does not mean that the threat has\r\ndisappeared completely. There is concern that members of the group may continue their activities within other groups\r\nor under new names. And although the samples we studied were two years old, it is of particular interest to use elliptic\r\ncurve cryptography in ransomware.\r\nBy Cyber Threat Hunters from MSSPLab:\r\n@cocomelonc\r\n@wqkasper\r\n@mgmadr\r\nReferencesPermalink\r\nMITRE ATT\u0026CK: Babuk\r\nhttps://github.com/kokke/tiny-ECDH-c\r\nSalsa20 wikipedia\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 20 of 21\n\nPeter Montgomery\r\nBabuk sample\r\nThanks for your time happy hacking and good bye!\r\nAll drawings and screenshots are MSSPLab’s\r\nSource: https://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nhttps://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html\r\nPage 21 of 21",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://mssplab.github.io/threat-hunting/2023/06/15/malware-analysis-babuk.html"
	],
	"report_names": [
		"malware-analysis-babuk.html"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434638,
	"ts_updated_at": 1775791369,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ac39748c86f52f0b4a8b58ce347116ed9e14dfc4.pdf",
		"text": "https://archive.orkl.eu/ac39748c86f52f0b4a8b58ce347116ed9e14dfc4.txt",
		"img": "https://archive.orkl.eu/ac39748c86f52f0b4a8b58ce347116ed9e14dfc4.jpg"
	}
}