McAfee experts released a report on Babuk ransomware, in which they concluded that attempts to make the malware cross-platform and use it against Linux / UNIX and ESXi or VMware have failed.
Let me remind you that at the beginning of the year, the creators of Babuk reported that they had developed a version of the ransomware for * nix, since many backends in large companies do not run under Windows at all. However, according to the researchers, the ransomware was written with many errors that “led to irreversible data corruption.”
“It looks like Babuk ran a live beta test on its victims when it came to developing the Golang binary and decoder. We observed that several victims’ machines were encrypted without the possibility of data recovery due to a faulty binary and a faulty decryptor, ”write the McAfee experts.
Thus, even if the victim agrees to pay the ransom to the hackers, it will not be possible to decrypt the affected files. Experts hope that this will ultimately affect the relationship of Babuk developers with “partners” who are directly involved in attacks and infect networks of victims with malware. If victims cannot get their data back even after paying the ransom, their grievances will turn to Babuk’s “partners”.
Since destroying data instead of encrypting it is less profitable from the point of view of criminals, experts believe that it was the complete inoperability of the * nix version of Babuk and the decryptor that forced hackers to switch to data theft and extortion, abandoning encryption.
Let me remind you that earlier this year, Babuk’s operators announced that they were shutting down (after a loud attack on the Washington police department). It is believed that the hackers renamed their “leak site” to Payload.bin, and were ready to provide it to other criminals as a third-party hosting, where someone’s files can be leaked without starting their own site for this purpose, as well as as a platform on which ransomware, access brokers and other criminals will be able to “meet”. Indeed, recently, almost all major hack forums have banned any discussion related to ransomware and ransomware. However, things do n’t seem to be going well for the group., and the forum was unable to gain popularity, but was subjected to DDoS attacks and suffered from various bugs.
As for the failed Babuk decryptor, the researchers tell the following about it:
“In general, the decryptor is bad because it only looks for the .babyk extension and skips any files the victim might have renamed in an attempt to recover them. In addition, the decryptor checks if the file is larger than 32 bytes, since the last 32 bytes are later combined with other hard-coded values to obtain the key. This is bad design, because those 32 bytes might be garbage, not a key. “