{"id":2259,"date":"2024-09-25T14:16:36","date_gmt":"2024-09-25T14:16:36","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2259"},"modified":"2025-07-29T03:29:44","modified_gmt":"2025-07-29T03:29:44","slug":"babuk-ransomware-linux-variant-analysis","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/babuk-ransomware-linux-variant-analysis\/","title":{"rendered":"Babuk Ransomware\u00a0Linux Variant Analysis"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Babuk.webp\" alt=\"Babuk Ransomware\"\/><figcaption class=\"wp-element-caption\">Babuk Ransomware<\/figcaption><\/figure>\n\n\n\n<p>The Babuk Ransomware Russian speaking Cyber Criminal gang has been operating and actively infecting networks for the past year while adopting the multiple extortion model for its victims. This is a similar trend used by other Ransomware gangs in recent times.<\/p>\n\n\n\n<p>The Babuk Ransomware gang operational model can be considered an enterprise model where multiple threat actors are involved with a promise of higher profits in return to perform various tasks of the infection cycle. This includes adding a dedicated negotiation team to pressurise the victims and threaten them with data leak consequences in case of non-payment of ransom.<\/p>\n\n\n\n<p><a href=\"http:\/\/lmntrix.com\">LMNTRIX<\/a> researchers while performing investigation on this gang encountered an interesting variant of &nbsp;Babuk Ransomware which targets Linux machines. The sample found is a 64 bit ELF file and many AV vendors have started identifying it as \u201cRansomware Linux Babyk\u201d. This ransomware variant is known for targeting a wide array of industries and not tied to any specific targets.<\/p>\n\n\n\n<p><strong>Sample details<\/strong><\/p>\n\n\n\n<p>File Hash: dc90560d7198bf824b65ba2cfbe403d84d38113f41a1aa2f37f8d827fd9e0ceb<\/p>\n\n\n\n<p>File Size: 69 KB<\/p>\n\n\n\n<p>File Type: ELF<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"752\" height=\"445\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Babuk-Ransomware-Linux-Variant-1.webp\" alt=\"\" class=\"wp-image-2260\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"752\" height=\"315\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Babuk-Ransomware-Linux-Variant-2.webp\" alt=\"\" class=\"wp-image-2261\"\/><\/figure>\n\n\n\n<p><strong>Code Analysis<\/strong><\/p>\n\n\n\n<p>During&nbsp; basic static analysis, it can be seen that the sample contains code to encrypt the content, looking for specifying file types (mostly related virtual images), and ransom note (how_to_restore_your_files.txt).<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"752\" height=\"180\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Babuk-Ransomware-Linux-Variant-3.webp\" alt=\"\" class=\"wp-image-2262\"\/><\/figure>\n\n\n\n<p>Further, on disassembling there were interesting strings and code snippets which is mentioned in the below snapshot:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"752\" height=\"382\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Babuk-Ransomware-Linux-Variant-4.webp\" alt=\"\" class=\"wp-image-2263\"\/><\/figure>\n\n\n\n<p>The disassembled code clearly stats out the flow like file extension to be added as \u2018.babyk\u2019, dropping the ransom note, looking for virtual image disks (known for production server holdings and it is key differentiator for a server and desktop machines). This variant has the code for getting the statistics of encrypted files, skipped files, and whole files count. Obvious reason behind these statistics will be the ransomware actor may show this data as an added threat, &nbsp;where they threaten its victims to leak the data dump in dark web or to their competitors in the market.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"752\" height=\"328\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Babuk-Ransomware-Linux-Variant-5.webp\" alt=\"\" class=\"wp-image-2264\"\/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"752\" height=\"350\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Babuk-Ransomware-Linux-Variant-6.webp\" alt=\"\" class=\"wp-image-2265\"\/><\/figure>\n\n\n\n<p>As the security researchers highlighted in various analysis of Bauk Ransomware that the ransomware variant will usually have the subroutines to read the directories and proceed for encryption of the files in them. Such a similar code is seen in this particular variant as well.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"752\" height=\"577\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Babuk-Ransomware-Linux-Variant-7.webp\" alt=\"\" class=\"wp-image-2266\"\/><\/figure>\n\n\n\n<p>Further while reading from the directory, the malware code looks for string comparison using strcmp subroutine to check for the watermark of Babyk. If the Babyk string is present in the file extension, then the specimen won\u2019t proceed for the encryption as it meant to be already infected with the same variant.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"735\" height=\"542\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/09\/Babuk-Ransomware-Linux-Variant-8.webp\" alt=\"\" class=\"wp-image-2267\"\/><\/figure>\n\n\n\n<p>In case of absence of babyk string watermark, the subroutine proceeds for encryption as well as renaming the files.<\/p>\n\n\n\n<p><strong>Yara Rule<\/strong><\/p>\n\n\n\n<p><em>rule Ransom_linux_babyk<\/em><\/p>\n\n\n\n<p><em>{<\/em><\/p>\n\n\n\n<p><em>meta:<\/em><\/p>\n\n\n\n<p><em>&nbsp;description = \u201cRule to detect Babuk Linux Variant\u201d<\/em><\/p>\n\n\n\n<p><em>&nbsp;malware _ family = \u201cRansom:Win\/Babuk\u201d<\/em><\/p>\n\n\n\n<p><em>&nbsp;malware _ type = \u201cRansom\u201d<\/em><\/p>\n\n\n\n<p><em>&nbsp;mitre _ attack = \u201cT1027, T1083, T1057, T1082,<\/em><\/p>\n\n\n\n<p><em>T1129, T1490, T1543.003\u201d<\/em><\/p>\n\n\n\n<p><em>strings:<\/em><\/p>\n\n\n\n<p><em>$restore= &#8220;\/How To Restore Your Files.txt&#8221;<\/em><\/p>\n\n\n\n<p><em>$linux_1= &#8220;\/lib64\/ld-linux-x86-64.so.2&#8221;<\/em><\/p>\n\n\n\n<p><em>$ransom= &#8220;.babyk&#8221;<\/em><\/p>\n\n\n\n<p><em>$linux_2= &#8220;\/dev\/urandom&#8221;<\/em><\/p>\n\n\n\n<p><em>condition:<\/em><\/p>\n\n\n\n<p><em>$restore and $ransom and ($linux_1 or $linux_2)<\/em><\/p>\n\n\n\n<p><em>}<\/em><\/p>\n\n\n\n<p><em>&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-xxxxxxxxxxxxxxx&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Babuk Ransomware Russian speaking Cyber Criminal gang has been operating and actively infecting networks for the past year while adopting the multiple extortion model for its victims. This is a similar trend used by other Ransomware gangs in recent times. The Babuk Ransomware gang operational model can be considered an enterprise model where multiple [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2268,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2259","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2259","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2259"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2259\/revisions"}],"predecessor-version":[{"id":4216,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2259\/revisions\/4216"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2268"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2259"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2259"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2259"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}