{ "id": "583cd980-4d88-421e-845b-dfebf6e1c082", "created_at": "2026-04-06T00:14:05.031344Z", "updated_at": "2026-04-10T13:11:37.3454Z", "deleted_at": null, "sha1_hash": "fe27753f8d79d18214155a7120e6912ad182c456", "title": "BabLock - a new stealthy ransomware | Group-IB Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 173205, "plain_text": "Andrey Zhdanov\r\nChief Malware Analyst and Threat\r\nHunter\r\nVladislav Azersky\r\nIncident Response and Digital\r\nForensics Analyst\r\nThe old way: BabLock, new\r\nransomware quietly cruising\r\naround Europe, Middle East, and\r\nAsia\r\nGroup-IB uncovers a new stealthy ransomware strain\r\nApril 4, 2023 · min to read · Ransomware\r\n← Blog\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 1 of 33\n\nBabLock Digital Forensics Incident Response Ransomware\r\nThe New Year holidays have always been a time of the year that our Digital Forensics and Incident\r\nResponse unit spends in anticipation of something bad. The anticipation usually lasts until the end\r\nof the New Year holidays in Russia and some other Post-Soviet states. A fair share of ransomware\r\ngangs and their affiliates are Russian speaking, and they take a break during the winter holidays,\r\njust like law abiding citizens do. Once the holidays are over, these groups get back to work. So do\r\ncyber incident response teams. And this year was not an exception.\r\nIn mid-January 2023, Group-IB’s Amsterdam-based Digital Forensics and Incident Response team\r\nwas called in to investigate one of those post-New-Year-holidays attacks against an industrial sector\r\ncompany in Europe. During the investigation, Group-IB’s experts established that the victim had\r\nbeen encrypted with a previously unknown ransomware strain. The strain, first uncovered by\r\nGroup-IB researchers in January 2023, was codenamed BabLock, because its versions for Linux\r\nand ESXi share similarities with the leaked Babuk ransomware. Despite these slight similarities, the\r\ngroup has a very distinct modus operandi and custom sophisticated ransomware for Windows.\r\nAdditionally, BabLock gang (also tracked under the name “Rorschach” by CheckPoint), unlike most\r\nof its “industry peers”, is not using a Data Leak Site (DLS) and is communicating with its victims via\r\nemail.\r\nThe absence of DLS, along with relatively modest ransom requests ranging from 50,000 to\r\n1,000,000 USD, allows the group to operate stealthily and remain under the radar of cybersecurity\r\nresearchers. The strain has been active since at least June 2022, when its earliest known version for\r\nESXi was released. Interestingly, all BabLock ransomware modules for Windows that Group-IB\r\nresearchers found were compiled in 2021, according to timestamps.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 2 of 33\n\nIn addition to Europe, the group allegedly carried out attacks in Asia and the Middle East, based on\r\nthe BabLock samples submitted to VirusTotal. Notably, the group doesn’t encrypt devices that use\r\nRussian and other languages spoken in the Post-Soviet space.\r\nThe artifacts gathered during the incident response engagement in Europe suggest BabLock\r\nemploys sophisticated tactics such as the exploitation of CVE, DLL side-loading as well as complex\r\nanti-analysis and detect evasion techniques. This blog contains a comprehensive description of the\r\nBabLock attack: their toolset, the strain’s samples for Windows, ESXi, and Linux as well as TTPs used\r\nby the BabLock gang mapped to MITRE ATT\u0026CK®. Incident Response experts, SOC teams, and\r\nthreat intelligence specialists will also find a list of all known indicators of compromise related to the\r\nnew groups in the end of this blog post.\r\nBabLock January Attack\r\nTo gain initial access to the victim’s infrastructure, the attackers used a remote code execution\r\n(RCE) vulnerability in the email software Zimbra Collaboration (ZCS) 8.8.15 and 9.0, namely CVE-2022-41352 that enables a threat actor to remotely execute arbitrary code. The vulnerability was\r\ndiscovered in September 2022 and has the NIST CVSS Score 9.8 (out of 10). The Zimbra\r\nCollaboration software used by the victim had not been updated, which once again highlights the\r\nimportance of installing patches on time.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 3 of 33\n\nAfter successfully exploiting this vulnerability, the attackers connected to the domain controller\r\nfrom a compromised Zimbra server via a Remote Desktop Protocol (RDP). To do so, they used a\r\ndomain administrator account. We didn’t find any details about the threat actors’ obtaining the\r\nadministrator account because the logs available for examination after the attack didn’t contain\r\nsuch information. The day after the initial connection to the domain controller, the following files\r\nwere copied:\r\nBEST_uninstallTool.exe\r\ncy.exe\r\nwinutils.dll\r\nconfig.ini\r\nBEST_uninstallTool.exe is a legitimate utility for uninstalling Bitdefender Endpoint Security Tools.\r\nThe other files are related to ransomware.\r\nTo gain access to Linux systems, the attackers used a utility called PuTTY. As a result, a Linux\r\nversion of the BabLock ransomware, s86.out, was copied to these systems. In addition, we detected\r\nconnections to an external IP address, which is used by Cobalt Strike network infrastructure.\r\nThe whole attack took about 24 hours to complete. As a result, files in Windows systems and\r\nnetwork shares as well as files belonging to VMware ESXi virtual machines were encrypted.\r\nNotably, the attackers did not collect or transfer the victim’s data. After the encryption, txt notes\r\nwith ransom demands for decryption were created in each directory and two email addresses were\r\nprovided to contact the operators.\r\nThe IT infrastructure of the organization is based primarily on VMware ESXi virtual systems. After\r\nthey were encrypted, most of the information that could be useful to investigate the incident\r\nbecame unavailable.\r\nIn the next section, we’ll focus on the analysis of the BabLock sample for Windows that we retrieved\r\nduring the incident response engagement.\r\nRansomware for Windows\r\nMalware that uses the DLL side-loading technique rarely leaves cybersecurity researchers\r\nindifferent. Chinese APT groups have always been considered the creators and active users of this\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 4 of 33\n\ntechnique. The backdoor PlugX, attributed by cybersecurity researchers to Chinese threat\r\nactors, is the first to spring to mind regarding this technique.\r\nThe Windows version of the BabLock ransomware used in the investigated attack employs DLL\r\nside-loading to load winutils.dll targeting the vulnerable legitimate software file cy.exe. The\r\nvulnerable file was cydump.exe from the utility Cortex XDR Dump Service Tool belonging to the\r\ncybersecurity company Palo Alto Networks, Inc. (Figure 1).\r\nFigure 1. Properties of cy.exe\r\nWe later found other samples of this malware family that used a legitimate file from software\r\nbelonging to another cybersecurity company. The use of DLL side-loading by ransomware is\r\nsomewhat surprising, but not extremely rare; for instance, this technique had earlier been used by\r\nPolar ransomware. This poses a question, however, whether using DLL side-loading in ransomware\r\nmakes sense. Affiliates of notorious RaaS use ransomware mostly at later stages of attacks after\r\nbypassing most security controls. It is reasonable to assume that DLL side-loading is justified in\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 5 of 33\n\nprograms for quick attacks, such as the one described above, where there is a risk that the\r\nransomware will be detected and neutralized before it launches.\r\nAs a result of this technique, launching the legitimate file cy.exe will load the malicious winutils.dll\r\n(original name: XLOADERDLL.dll), which is located in the same directory.\r\nThe winutils.dll module is compressed using a modified UPX 3.96 packer, which does not let it be\r\nunpacked using a standard version of UPX. Unpacking revealed other protective techniques in the\r\nDLL, such as string obfuscation, junk code, and calling Native API functions using direct\r\nsystem calls (syscall) (Figure 2). To obtain system call numbers, the contents of ntdll.dll are loaded\r\ninto memory as a memory-mapped file and the code of the following Native API functions is parsed:\r\nNtCreateFile\r\nNtReadFile\r\nNtWriteFile\r\nNtClose\r\nNtCreateProcess\r\nNtAllocateVirtualMemory\r\nNtReadVirtualMemory\r\nNtWriteVirtualMemory\r\nNtResumeThread\r\nNtCreateThreadEx\r\nNtQueryInformationProcess\r\nNtFreeVirtualMemory\r\nNtProtectVirtualMemory\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 6 of 33\n\nFigure 2. Calling Native API functions using syscall\r\nWhen winutils.dll is loaded, its code decrypts (using RC4 encryption algorithm) a shellcode from the\r\nfile config.ini, launches the process %SystemRoot%\\system32\\notepad.exe in a suspended state,\r\nand injects the shellcode in it using the Native API functions NtAllocateVirtualMemory,\r\nNtWriteVirtualMemory, NtProtectVirtualMemory. Launching the process notepad.exe involves the\r\nuse of a command line that was used to launch cy.exe, with the following arguments are added to it:\r\n–pt=\u003cWORK_DIR\u003e\\winutils.dll –cg=\u003cWORK_DIR\u003e\\config.ini\r\nwe=\u003cWORK_DIR\u003e\\cy.exe\r\nWORK_DIR is a directory that contains ransomware files.\r\nAfter that, the API function RtlTestBit (ntdll.dll) is modified in the address space of the suspended\r\nnotepad.exe: code for jumping to shellcode is written to the beginning of the function:\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 7 of 33\n\nFigure 3. Code of the modified function RtlTestBit\r\nWith the help of the function NtCreateThreadEx, a thread is created and launched in the\r\nnotepad.exe process; the modified RtlTestBit function is used as a thread function.\r\nThe shellcode loads the payload PE module contained in it directly into memory. The addresses of\r\nthe necessary Windows API functions are obtained in the shellcode with the help of the Process\r\nEnvironment Block (PEB) and the algorithm for calculating hashes for function names is based on\r\nthe popular ROR13 algorithm. It is worth mentioning that similar PE-module loader code has been\r\nobserved in two other malware families, namely the banking Trojan KrBanker / BlackMoon and the\r\nTA505-related bot SDBbot.\r\nThe payload is ransomware in the PE32+ DLL format. The ransomware uses an unknown protector.\r\nAfter the protector was removed, the program’s main function remained virtualized; the strings were\r\nobfuscated using various methods, like in winutils.dll (Figure 4), and direct system calls (syscall) are\r\nused to call certain Native API functions:\r\nNtCreateFile\r\nNtReadFile\r\nNtWriteFile\r\nNtClose\r\nNtQueryInformationFile\r\nNtWaitForSingleObject\r\nNtSetInformationFile\r\nNtQueryEaFile\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 8 of 33\n\nFigure 4. String obfuscation in the Bablock ransomware\r\nIt is noteworthy that all ransomware modules for Windows that we found were compiled in 2021,\r\naccording to timestamps. Still, we could not class this family, and very few samples were found.\r\nWhile a lot in this family, which we named BabLock, has been borrowed from other ransomware\r\nfamilies, it cannot be considered a fork or a combination of different known samples. BabLock\r\nransomware for Windows turned out to be sophisticated programs that use various evasion and\r\nanti-analysis techniques.\r\nThe ransomware is written in C++ using the Standard Template Library (STL).\r\nFunctionalities\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 9 of 33\n\nThe ransomware does not encrypt files and shuts down if the default language of the system or\r\nuser is one of the following:\r\nRussian 419\r\nUkrainian 422\r\nBelarusian 423\r\nTajik 428\r\nArmenian 42B\r\nAzerbaijani Latin 42C\r\nAzerbaijani Cyrillic 82C\r\nGeorgian 437\r\nKazakh 43F\r\nKyrgyz 440\r\nThe language is checked using the Windows API functions GetSystemDefaultUILanguage and\r\nGetUserDefaultUILanguage.\r\nFor comparison, in addition to the list above, LockBit 3.0 (Black) checks for Tatar (444), Romanian\r\nMoldova (818) and Arabic Syria (2801).\r\nLaunching the ransomware requires specifying the correct value of the command-line argument “–\r\nrun=”. In the sample in question this value is, i.e. “–run=3306”; simply specifying 3306 in the\r\ncommand line without the argument is also possible. If the launch code is not specified or is\r\nspecified incorrectly, the ransomware shuts down. This technique is used to evade sandbox\r\nanalysis. The checked value 3306 is hardcoded in the form of a string in the sample. Other samples\r\nof BabLock for Windows use other values for launch.\r\nDepending on the command-line parameters, the ransomware can encrypt a given object (directory,\r\nfile, network resource) or the entire system. A description of command-line arguments is provided\r\nbelow.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 10 of 33\n\nThe ransomware stops the following security, backup, database management and other system\r\nservices:\r\nvss ccSetMgr veeam\r\nsql SavRoam PDVFSService\r\nsvc$ RTVscan BackupExecVSSProvider\r\nmemtas QBFCService BackupExecAgentAccelerator\r\nmepocs QBIDPService BackupExecAgentBrowser\r\nsophos Intuit.QuickBooks.FCS BackupExecDiveciMediaService\r\nveeam QBCFMonitorService BackupExecJobEngine\r\nbackup YooBackup BackupExecManagementService\r\nGxVss YooIT BackupExecRPCService\r\nGxBlr zhudongfangyu AcrSch2Svc\r\nThe ransomware also terminates the following processes of database management systems, email\r\nclients, office applications, etc.:\r\nsql.exe mydesktopservice.exe sqbcoreservice.exe steam.exe\r\noracle.exe ocautoupds.exe excel.exe thebat.exe\r\nocssd.exe encsvc.exe infopath.exe thunderbird.exe\r\ndbsnmp.exe firefox.exe msaccess.exe visio.exe\r\nsynctime.exe tbirdconfig.exe mspub.exe winword.exe\r\nagntsvc.exe mydesktopqos.exe onenote.exe wordpad.exe\r\nisqlplussvc.exe ocomm.exe outlook.exe wrapper.exe\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 11 of 33\n\nxfssvccon.exe dbeng50.exe powerpnt.exe dbsrv12.exe\r\nTo delete volume shadow copies and system state backups, disable recovery in Windows boot\r\nmenu, clear Windows event logs, shut down certain services, and disabling the firewall, the\r\nransomware executes the following commands:\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nbcdedit.exe /set {default} recoveryenabled No\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nwbadmin.exe DELETE SYSTEMSTATEBACKUP\r\nwbadmin.exe DELETE SYSTEMSTATEBACKUP –deleteOldest\r\nwbadmin.exe delete catalog –quiet\r\nwbadmin.exe delete backup\r\nwbadmin.exe delete systemstatebackup -keepversions:0\r\nwevtutil.exe clear-log Application\r\nwevtutil.exe clear-log Security\r\nwevtutil.exe clear-log System\r\nwevtutil.exe clear-log \"windows powershell\"\r\nwmic.exe SHADOWCOPY /nointeractive\r\nnet.exe stop MSDTC\r\nnet.exe stop SQLSERVERAGENT\r\nnet.exe stop MSSQLSERVER\r\nnet.exe stop vds\r\nnet.exe stop SQLWriter\r\nnet.exe stop SQLBrowser\r\nnet.exe stop MSSQLSERVER\r\nnet.exe stop MSSQL$CONTOSO1\r\nnetsh.exe advfirewall set currentprofile state off\r\nnetsh.exe firewall set opmode mode=disable\r\nWhen these commands are executed, the ransomware uses an artifact hiding technique called\r\nprocess argument spoofing: it creates a system program process in a suspended state, writes\r\ncommand-line arguments directly into the PEB, and then resumes the process.\r\nIt is worth noting that along with sophisticated solutions the program has simple mistakes. For\r\ninstance, executing the command shown below will not delete volume shadow copies:\r\nwmic.exe SHADOWCOPY /nointeractive\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 12 of 33\n\nThe command lacks the required argument “DELETE“.\r\nCreation of an Active Directory group policy\r\nIf the ransomware has been launched on the domain controller with administrator privileges, it uses\r\na group policy to share access to hosts’ disks, stop services and terminate processes on hosts, and\r\nspread itself in the local area network. The use of group policies in the ransomware is similar to how\r\nit is implemented in LockBit 2.0.\r\nThe ransomware extracts the following Group Policy Object (GPO) components — which determine\r\na new group policy — into the root directory on the domain controller:\r\n\\Machine\\Preferences\\NetworkShares\\NetworkShares.xml\r\n\\Machine\\Preferences\\Services\\Services.xml\r\n\\Machine\\comment.cmtx\r\n\\Machine\\Registry.pol\r\n\\User\\Preferences\\Files\\Files.xml\r\n\\User\\Preferences\\ScheduledTasks\\ScheduledTasks.xml\r\nGPO_GUID – is the GUID of the new group policy\r\nNetworkShares.xml (Figure 5) is meant for giving shared access to domain hosts’ disks so that the\r\nransomware can access more files in the victim’s network to encrypt them.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 13 of 33\n\nFigure 5. Beginning part of NetworkShares.xml (example)\r\nServices.xml (Figure 6) is intended for stopping and blocking the following system services on\r\ndomain hosts:\r\nSQLPBDMS SQLBrowser SSISScaleOutWorker150\r\nSQLPBENGINE SQL Server Distributed Replay Client MSSQLLaunchpad\r\nMSSQLFDLauncher\r\nSQL Server Distributed Replay\r\nController\r\nSQLWriter\r\nSQLSERVERAGENT MsDtsServer150 SQLTELEMETRY\r\nMSSQLServerOLAPService SSISTELEMETRY150 MSSQLSERVER\r\nSSASTELEMETRY SSISScaleOutMaster150\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 14 of 33\n\nFigure 6. The beginning part of Services.xml (example)\r\nThe files Registry.pol and comment.cmtx (Figure 7) are intended for disabling Windows Defender\r\non hosts by modifying relevant parameters in the system registry.\r\nFigure 7. Contents of comment.cmtx\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 15 of 33\n\nThe ransomware copies its files to the shared Active Directory files directory SYSVOL:\r\n\\\\\u003c DNS_DOMAIN_NAME\u003e\\sysvol\\\u003c DNS_DOMAIN_ NAME\u003e\\scripts\\\r\nDNS_DOMAIN_ NAME is the name of the DNS domain.\r\nFiles.xml (Figure 8) is intended for copying ransomware files from the shared Active Directory files\r\ndirectory SYSVOL to the host’s %Public% directory.\r\nFigure 8. Contents of Files.xml (example)\r\nScheduledTasks.xml (Figure 9) is intended for creating two scheduled tasks on the host:\r\n1_MMdd_Services\r\n2_MMdd_\u003cEXE_NAME\u003e\r\nEXE_NAME is the name of the main executable (legitimate file) of the ransomware (cy.exe);\r\nMMdd is the month and day when ScheduledTasks.xml was created.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 16 of 33\n\nFigure 9. Contents of ScheduledTasks.xml (example)\r\nThe scheduled task 1_MMdd_Services (Figure 10) terminates processes on domain hosts by\r\nexecuting the following command for each process from the list:\r\nC:\\Windows\\System32\\taskkill.exe /IM “\u003cPROC_NAME\u003e” /F\r\nNames of terminated processes (PROC_NAME):\r\nwxServer.exe supervise.exe sync-taskbar.exe vxmon.exe\r\nwxServerView.exe Culture.exe sync-worker.exe sqlbrowser.exe\r\nsqlmangr.exe Defwatch.exe wsa_service.exe tomcat6.exe\r\nRAgui.exe httpd.exe synctime.exe Sqlservr.exe\r\nFigure 10. Part of 1_0123_Services (example)\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 17 of 33\n\nThe second task, 2_MMdd_cy.exe, (Figure 11) calls the main ransomware executable, located in the\r\nhost’s %Public% directory. The ransomware’s command-line arguments for the task are created\r\nbased on the arguments of the launched ransomware.\r\nFigure 11. 1_0123_cy.exe (example)\r\nScheduled tasks are launched immediately after they are created.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 18 of 33\n\nGroup policies on domain computers are updated using the following PowerShell command:\r\npowershell.exe -Command \"Get-ADComputer -filter * -Searchbase 'AD_SEARCHPATH' | foreach{ I\r\nwhere AD_SEARCHPATH is the AD path for searches:\r\nDC=\u003cDC1\u003e,DC=\u003cDC2\u003e\r\nwhere DC1, DC2 are domain components\r\nFile encryption\r\nThe ransomware encrypts files on disks and available network resources. Before encryption, the\r\nransomware mounts hidden volumes. To search for network resources, the ransomware also\r\nenumerates Active Directory computers using LDAP queries.\r\nDuring encryption, the ransomware skips files and directories with the following names:\r\nAppData ProgramData ntuser.ini bootfont.bin\r\nBoot All Users thumbs.db ntldr\r\nWindows autorun.inf NTUSER.DAT config.ini\r\nWINDOWS boot.ini ntuser.dat.LOG1 1_config.ini\r\nWindows.old bootfont.bin ntuser.dat.LOG2 Policies\r\nAhnlab bootsect.bak thumbs.db NETLOGON\r\nTor Browser bootmgr Program Files SYSVOL\r\nInternet Explorer bootmgr.efi Program Files (x86) begin.txt\r\nGoogle bootmgfw.efi #recycle finish.txt\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 19 of 33\n\nOpera desktop ini scripts\r\nPID is the ransomware process identifier.\r\nFiles with the following extensions are not encrypted either:\r\n“.exe”, “.dll”, “.sys”, “.com”, “.EXE”, “.DLL”, “.SYS”, “.COM”\r\nTo encrypt files the ransomware uses high-performance implementation of multithreading using an\r\nI/O (input/output) completion port. I/O completion port–based multithread encryption is also\r\nimplemented in ransomware such as LockBit 3.0 / BlackMatter, DarkSide, REvil, and the latest\r\nversion of Hive v6.\r\nThe actual encryption of data is similar to how it is implemented in the Babuk ransomware family,\r\nbut multithread encryption in Babuk is simpler. Babuk for Windows in general is much simpler than\r\nthe ransomware in question. We decided to reflect the connection with Babuk in the name of the\r\nnew ransomware family, the more so because Linux versions of the ransomware were developed\r\nbased on the source code of Babuk for NAS and ESXi. We also decided to take into account the\r\ncomplexity of the Windows version and the similarity with LockBit in terms of group policy use.\r\nHence, we named the new family BabLock.\r\nEncryption involves the stream cipher HC-128 with a 256-bit key and an initialization vector (IV). For\r\neach file, a 32-byte private key is generated using the Crypto API function CryptGenRandom.\r\nFrom this key, 32-byte public and shared keys are calculated by way of Diffie–Hellman key\r\nexchange implemented using Curve25519. The attackers’ public key used for the exchange is\r\ncontained in the ransomware code. From the obtained shared key, a SHA-512 hash is calculated,\r\nwhose first 32 bytes are used as the HC-128 key, while the other 32 bytes are used as the IV.\r\nThe ransomware encrypts the starting 16-megabyte block in the files with the extensions “.sql“,\r\n“.mdf“, “.mdb“, “.db“, “.dbf“, “.wdb“, “.accdb“, “.rar,”, “.zip“, and “.7z“. In files with other extensions,\r\none 16-kilobyte block is encrypted with a 256 offset. If the size of a file is less than 512 bytes, the file\r\nis encrypted fully.\r\nThe list of extensions above contains another simple mistake: for .rar files the comma comes before\r\nthe quotation mark in the source code, which means that .rar files will not be encrypted.\r\nAfter the data in a file is encrypted, a 68-byte block of metadata is added to the end of the file. The\r\nmetadata is encrypted using a 32-bit XOR operation with a dword.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 20 of 33\n\nOffset Size Description\r\n000h 32 Calculated public key for the file.\r\n020h 4 Hash of an XCRC32 encryption key and HC128 IV.\r\n024h 4 00000001h\r\n028h 8 Decryption ID corresponding to the first 8 bytes of the attackers’ public key.\r\n030h 16\r\nEncrypted files marker\r\n75 EC 81 78 B9 DB 87 B0 E3 99 75 5D 8D 03 F9 65\r\n040h 4 XOR metadata encryption key. The value of the key is generated for each file.\r\nNames of encrypted files are as follows:\r\n\u003cFILENAME\u003e.\u003cRANSOM_EXT\u003e.\u003cRND_N\u003e\r\nIn each processed directory, the ransomware creates _r_e_a_d_m_e.txt text files with a ransom\r\ndemand for decrypting files (Figure 12).\r\nFILENAME is the original name of the file.\r\nRANSOM_EXTis the extension, which is hardcoded in the ransomware code (“slpqne“);\r\nRND_N is a random two-digit number from 00 to 98 (inclusive).\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 21 of 33\n\nFigure 12. Contents of the text file _r_e_a_d_m_e.txt with a ransom note\r\nThe text of this note has largely been borrowed from the Yanluowang ransomware family. For other\r\nnotes, BabLock used the text from the notes of an older family, LockCrypt. All of the discovered\r\nBabLock samples use the name _r_e_a_d_m_e.txt for text files with ransom notes. Ransom notes\r\nmay differ, but they begin with a 16-character decryption ID (Figure 12) that corresponds to the first\r\n8 bytes of the public key in a hex-encoded representation.\r\nAfter the encryption is over, by default the ransomware creates a BMP image with text about files\r\nbeing encrypted (Figure 13) and sets it as the desktop wallpaper.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 22 of 33\n\nFigure 13. A BMP image as a desktop background with text about files being encrypted\r\nCommand-line parameters\r\nParameter Description\r\n–run=\u003cKEY\u003e\r\nSpecify the value of the key to launch the ransomware. The ransomware\r\nis launched if the key value is correct (3306). The correct KEY value is\r\ncontained in the ransomware code. The key can be specified in the\r\ncommand line without specifying the argument itself “–run=”.\r\n–nomutex=1\r\nDo not check the mutex. The mutex is used to check for simultaneous\r\nlaunch of several ransomware copies.\r\nMutex: “80CE038F-6317-984D-C0A7-FA0A1EED0199”\r\n–path=\u003cPATH\u003e Encrypt files in a specified path.\r\n–log=1\r\nCreate text log files:\r\n\u003cPID\u003e_l.log (log file)\r\n\u003cPID\u003e_e.log (list of encrypted files)\r\nPID is the ransomware process identifier.\r\n–nodel=1 Do not delete ransomware executables after shutting down.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 23 of 33\n\nRansomware for Linux\r\nThe Linux version of the ransomware is a 32-bit program for Linux in ELF format written in Go 1.18.3\r\n(release date: 2022-06-01).\r\nGOVERSION variable go1.18.3\r\nGOROOT variable C:\\Program Files\\Go\r\nGOPATH variable C:\\Users\\Administrator\\go\r\nAdditional packages used for creating the ransomware\r\ngolang.org/x/crypto/chacha20\r\ngolang.org/x/crypto/curve25519\r\nThe ransomware was developed based on the source code of Babuk ransomware for NAS, which\r\nwas made public in September 2021. The ransomware was compiled on a computer running\r\nWindows not later than January 6, 2022.\r\nFunctionalities\r\nThe ransomware encrypts files in a path specified in a command line. The ransomware’s command-line parameters are:\r\ns86.out \u003cPATH\u003e [esxi]\r\nDuring encryption, the ransomware skips directories that start with the following substrings:\r\n/proc .system/thumbnail /usr/bin /bin\r\n/boot .system/opt /usr/etc /lib\r\n/sys .config /usr/sbin /lib32\r\nPATH is the path for encrypting files.\r\nesxi is the encryption mode.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 24 of 33\n\n/run .qpkg /usr/lib /lib64\r\n/dev /mnt/ext/opt /usr/syno /libx32\r\n/etc /tmp /var/packages /root\r\n/home/httpd /usr/sh /usr/local/packages /sbin\r\nThe ransomware skips files whose paths start with the following substrings:\r\n/lib home/httpd .qpkg /sbin\r\n/bin .system/thumbnail /mnt/ext/opt\r\n/proc .system/opt /tmp\r\n/boot .config /var/run\r\nIn esxi encryption mode, the ransomware only encrypts files with the following extensions: “.log“,\r\n“.vdmk“, “.vmem“, “.wsvp“, “.wmsn“.\r\nFile encryption\r\nThe ransomware performs multithread encryption of files. Data is encrypted using the ChaCha20\r\nstream cipher algorithm. For each file, a 32-byte private key is generated (/dev/urandom), from which\r\n32-byte public and shared keys are calculated by way of Diffie–Hellman key exchange implemented\r\nusing Curve25519. The attackers’ public key used for the exchange is contained in the ransomware\r\ncode. From the obtained public key, a SHA-256 hash is calculated, which is used as the ChaCha20\r\nkey. From this key, a SHA256 hash is calculated, whose bytes [10:22] are used as nonce.\r\nIn files with the extensions “.log“, “.vdmk“, “.vmem“, “.wsvp“, and “.wmsn” the ransomware encrypts\r\nten 16384-byte blocks, each with an offset in the file divisible by 10 megabytes. In files with other\r\nextensions, only the first 16384-byte starting block is encrypted.\r\nAfter data in a file is encrypted, a 46-byte block of metadata is added to the end of the file.\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 25 of 33\n\nOffset Size Description\r\n000h 32 Calculated public key for the file.\r\n020h 6\r\nEncrypted files marker\r\nCE AD 38 DE F9 00 – one block is encrypted.\r\nCE AD 38 DE F9 01 – several blocks are encrypted.\r\n026h 8 Decryption ID, which corresponds to the first 8 bytes of the attackers’ public key.\r\nIn each processed directory, the ransomware creates _r_e_a_d_m_e.txt text files with a ransom\r\ndemand for decrypting files. The contents of _r_e_a_d_m_e.txt are identical to ones created by\r\nBabLock for Windows.\r\nRansomware for ESXi\r\nIn the attack in question, we were unable to obtain a sample of BabLock for ESXi, but we found\r\nsamples of BabLock for ESXi that were used in other attacks.\r\nThe ransomware is a 64-bit program for Linux in ELF format compiled using GNU Compiler (GCC).\r\nThe ransomware was developed based on the source code of Babuk for ESXi, which was made\r\npublic in September 2021, and is virtually identical to the original.\r\nThe ransomware encrypts files in a path specified in a command line and only encrypts files with the\r\nfollowing extensions:\r\n“.log“, “.vdmk“, “.vmem“, “.wsvp“, and “.wmsn“.\r\nFile encryption\r\nThe ransomware performs multithread encryption of files, with 16 threads used for encryption.\r\nData is encrypted using the Sosemanuk stream cipher algorithm. For each file, a 32-byte private key\r\nis generated (/dev/urandom), from which 32-byte public and shared keys are calculated by way of\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 26 of 33\n\nDiffie–Hellman key exchange implemented using Curve25519. The attackers’ public key used for the\r\nexchange is contained in the ransomware code. From the obtained shared key, a SHA-256 hash is\r\ncalculated, which is used as the Sosemanuk key.\r\nThe ransomware encrypts the first 100 megabytes in files by 10-megabyte blocks. For comparison,\r\nBabuk for ESXi encrypts the first 500 megabytes by 1-megabyte blocks.\r\nAfter the data in a file is encrypted, a 40-byte block of metadata is added to the end of the file.\r\nOffset Size Description\r\n000h 32 Calculated public key for the file.\r\n020h 8\r\nDecryption ID, which corresponds to the first 8 megabytes of the attackers’ public\r\nkey.\r\nThe original Babuk does not have a Decryption ID metadata field.\r\nThe names of encrypted files are as follows:\r\n\u003cFILENAME\u003e.\u003cRANSOM_EXT\u003e\r\nIn each processed directory, the ransomware creates _r_e_a_d_m_e.txt text files with a ransom\r\ndemand for decrypting files.\r\nConclusion\r\nWe believe that the group BabLock is not related to any particular RaaS affiliate program and that it\r\nperforms “quiet” occasional attacks using proprietary ransomware.\r\nFILENAME is the original name of the file.\r\nRANSOM_EXTis the extension, which is hardcoded in the ransomware code (“slpqne“).\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 27 of 33\n\nThe geographical scope of the group’s attacks and the fact that they check whether the\r\nransomware is launched on computers that use Post-Soviet countries’ languages to prevent\r\nencryption could suggest that the group might be Russian speaking, but the information is\r\ninsufficient to attribute the attack.\r\nThe group managed to remain unnoticed for a long time, because they conducted few attacks\r\nand did not employ double or triple extortion techniques. To pressure its victims, BabLock only\r\nthreatens to launch attacks again, according to their ransom note. Another factor that contributed\r\nto the group’s low profile could be that for encrypting Linux systems BabLock used ransomware\r\nbased on the published source code of Babuk with insignificant modifications. However, it is the\r\nversion for Windows, its complexity, and the evasion and anti-analysis techniques used that caught\r\nour eye. It would make more sense for the threat actors to use a simpler program based on Babuk\r\nto encrypt Windows systems, but they preferred developing their own, more sophisticated program,\r\nwhich overall is not similar to other families. It is also unusual that all of the samples for Windows\r\nthat we have discovered were dated 2021.\r\nRecommendations\r\n1. Regularly installing critical updates for operating systems and software used.\r\nSetting up strong password policies for both local and domain accounts. Verifying that different\r\npasswords are used for local administrators on all the hosts in the infrastructure.\r\n2.\r\nWhen managing access rights, sticking to the principle of minimal required privileges in the\r\nsystem, with a special focus on service accounts as well as accounts used for automated tasks\r\nand remote access.\r\n3.\r\n4. Prohibiting direct RDP access to workstations and servers from outside the internal network.\r\nEnsuring that the storage period for operating system event logs and security controls logs lasts\r\nfor at least three months.\r\n5.\r\nCollecting the following logs from the VMware ESXi hypervisor:\r\nauth.log, hostd.log, syslog.log, vmksummary.log, vmkernel.log.\r\n6.\r\nIn the Linux segment, setting up the auditd tool, designed for monitoring operating system\r\nevents.\r\n7.\r\n8. Setting up the collection of Windows events, relating to:\r\nsuccessful and unsuccessful login attempts\r\nenabling/disabling and blocking accounts\r\ncreating local and domain accounts\r\nadding users to groups, especially ones granting elevated privileges\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 28 of 33\n\nTry Group-IB Incident Response now\r\nBenefit from the fastest incident response from industry leaders!\r\nBabLock Ransomware MITRE ATT\u0026CK\r\nTactic Technique Description\r\nTA0001\r\nInitial Access\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nAs an initial access vector, the attacker used\r\nvulnerabilities in the email software Zimbra and as\r\na result gained RDP access to an email system\r\nserver.\r\ncreating services, processes, and scheduled tasks\r\nchanging domain and local security policies\r\nexecuting commands using various command interpreters\r\ncritical triggering of the built-in Windows security tool (Windows Defender)\r\naccessing objects in network shares\r\nclearing event logs\r\nImplementing the centralized collection of events in the Linux/Windows infrastructure and their\r\ntransfer to a data collection system (e.g., ELK, SIEM).\r\n9.\r\n10. Using Group-IB Managed Extended Detection and Response (MXDR) to protect end devices.\r\nUsing Group-IB Attack Surface Management (ASM) to control the security posture of the\r\norganization’s infrastructure.\r\n11.\r\nUse Threat Intelligence to keep track of the group and changes in its tactics, techniques, and\r\nprocedures.\r\n12.\r\nLearn more\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 29 of 33\n\nT1106\r\nNative API\r\nThe ransomware uses direct system calls (syscall)\r\nto launch certain Native API functions.\r\nT1053.005\r\nScheduled\r\nTask/Job: Scheduled Task\r\nFor the ransomware to spread in the victim’s\r\ninfrastructure, a group policy (GPO) is used, which\r\ncreates scheduled tasks on domain hosts to\r\nlaunch the ransomware and stop SQL system\r\nservices.\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nA PowerShell script is used to update group\r\npolicies on domain computers.\r\nIndicators of compromise\r\nWindows\r\ncy.exe\r\n4874d336c5c7c2f558cfd5954655cacfc85bcfcb512a45fb0ff461ce9c38b86d\r\nwinutils.dll\r\n2fd264f58ba82a2675280ec8c6759612def2bcc62aa6160f5e23071f67bb67ab\r\nconfig.ini\r\n03c41019faf7e4cc26ca0dd3a2c41b2115e4c4ebd561402079bc4a20256c1813\r\nShortcut.exe\r\n88081a21e500e831d86666ca5d7a3d348f7c03bc5c471b6d17d8b18a022f25be\r\nlibexpa.dll\r\naa48acaef62a7bfb3192f8a7d6e5229764618ac1ad1bd1b5f6d19a78864eb31f\r\nconfig.ini\r\nb99d114b267ffd068c3289199b6df95a9f9e64872d6c2b666d63974bbce75bf2\r\nwinutils.dll\r\n66bcad0829a59c424d062b949c2a556b11c509b17515dffecb9cbf65f13f3dc6\r\nDumped payload\r\n38c610102129be21d8d99ac92f3369c6650767ed513e5744c0cda54e68b33812\r\ne14b88795bde45cf736c8363c71a77171aa710a4e7fa9ce38470082cb1bdadbb\r\nLinux/ESXi\r\n7d62a33e9a2fedff6cf27aaa142ff15838a766ccd4a8d326424611e155442775\r\n83052cc23c45ecaa09fe5c87fd650c7f8e708aea46756a2b9d452d40ce3b9c00\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 30 of 33\n\nb711579e33b0df2143c7cb61246233c7f9b4d53db6a048427a58c0295d8daf1c\r\nde5a53131225dd97040d48221d9afd98760f7ff2f55613f0d08436891ca632b9\r\nThe threat actors’ email addresses\r\ndcqyvp1@onionmail.org\r\nDcqYvp@onionmail.org\r\ndyhdsak@onionmail.org\r\ndyhdsak1@onionmail.org\r\njzmc2t@tutanota.com\r\njzmc2t@onionmail.org\r\nngoueeb@onionmail.org\r\nngoueeb1@onionmail.org\r\nvvbured@onionmail.org\r\nvvbured1@onionmail.org\r\nwvpater@onionmail.org\r\nwvpater1@onionmail.org\r\nShare this article\r\nFound it interesting? Don't hesitate to share it to wow your friends or colleagues\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 31 of 33\n\nResources\r\nResearch Hub\r\nSuccess Stories\r\nKnowledge Hub\r\nCertificates\r\nWebinars\r\nPodcasts\r\nTOP Investigations\r\nRansomware Notes\r\nAI Cybersecurity Hub\r\nProducts\r\nThreat Intelligence\r\nFraud Protection\r\nManaged XDR\r\nAttack Surface Management\r\nDigital Risk Protection\r\nBusiness Email Protection\r\nCyber Fraud Intelligence\r\nPlatform\r\nUnified Risk Platform\r\nIntegrations\r\nPartners\r\nPartner Program\r\nMSSP and MDR Partner\r\nProgram\r\nTechnology Partners\r\nPartner Locator\r\nCompany\r\nAbout Group-IB\r\nTeam\r\nCERT-GIB\r\nCareers\r\nInternship\r\nAcademic Aliance\r\nSustainability\r\nMedia Center\r\nContact\r\nAPAC: +65 3159 3798\r\nSubscription plans Services Resource Center\r\nSubscribe to stay up to date with the\r\nlatest cyber threat trends\r\nContact\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 32 of 33\n\nEU \u0026 NA: +31 20 226 90 90\r\nMEA: +971 4 568 1785\r\ninfo@group-ib.com\r\n© 2003 – 2026 Group-IB is a global leader in the fight against cybercrime, protecting customers\r\naround the world by preventing breaches, eliminating fraud and protecting brands.\r\nTerms of Use Cookie Policy Privacy Policy\r\nhttps://www.group-ib.com/blog/bablock-ransomware/\r\nPage 33 of 33", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.group-ib.com/blog/bablock-ransomware/" ], "report_names": [ "bablock-ransomware" ], "threat_actors": [ { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "75d4d6a9-b5d1-4087-a7a0-e4a9587c45f4", "created_at": "2022-10-25T15:50:23.5188Z", "updated_at": "2026-04-10T02:00:05.26565Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "TA505", "Hive0065", "Spandex Tempest", "CHIMBORAZO" ], "source_name": "MITRE:TA505", "tools": [ "AdFind", "Azorult", "FlawedAmmyy", "Mimikatz", "Dridex", "TrickBot", "Get2", "FlawedGrace", "Cobalt Strike", "ServHelper", "Amadey", "SDBbot", "PowerSploit" ], "source_id": "MITRE", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e447d393-c259-46e2-9932-19be2ba67149", "created_at": "2022-10-25T16:07:24.28282Z", "updated_at": "2026-04-10T02:00:04.921616Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "ATK 103", "Chimborazo", "G0092", "Gold Evergreen", "Gold Tahoe", "Graceful Spider", "Hive0065", "Operation Tovar", "Operation Trident Breach", "SectorJ04", "Spandex Tempest", "TA505", "TEMP.Warlock" ], "source_name": "ETDA:TA505", "tools": [ "Amadey", "AmmyyRAT", "AndroMut", "Azer", "Bart", "Bugat v5", "CryptFile2", "CryptoLocker", "CryptoMix", "CryptoShield", "Dridex", "Dudear", "EmailStealer", "FRIENDSPEAK", "Fake Globe", "Fareit", "FlawedAmmyy", "FlawedGrace", "FlowerPippi", "GOZ", "GameOver Zeus", "GazGolder", "Gelup", "Get2", "GetandGo", "GlobeImposter", "Gorhax", "GraceWire", "Gussdoor", "Jaff", "Kasidet", "Kegotip", "Kneber", "LOLBAS", "LOLBins", "Living off the Land", "Locky", "MINEBRIDGE", "MINEBRIDGE RAT", "MirrorBlast", "Neutrino Bot", "Neutrino Exploit Kit", "P2P Zeus", "Peer-to-Peer Zeus", "Philadelphia", "Philadephia Ransom", "Pony Loader", "Rakhni", "ReflectiveGnome", "Remote Manipulator System", "RockLoader", "RuRAT", "SDBbot", "ServHelper", "Shifu", "Siplog", "TeslaGun", "TiniMet", "TinyMet", "Trojan.Zbot", "Wsnpoem", "Zbot", "Zeta", "ZeuS", "Zeus" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434445, "ts_updated_at": 1775826697, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fe27753f8d79d18214155a7120e6912ad182c456.pdf", "text": "https://archive.orkl.eu/fe27753f8d79d18214155a7120e6912ad182c456.txt", "img": "https://archive.orkl.eu/fe27753f8d79d18214155a7120e6912ad182c456.jpg" } }