Babuk Ransomware Gang Mulls Retirement

The RaaS operators have been posting, tweaking and taking down a goodbye note, saying that they’ll be open-sourcing their data encryption malware for other crooks to use.

Just a few days after hackers bragged about purportedly raiding the computer systems of the Washington D.C. Metropolitan Police Department (MPD) and doxxing what looked like its data, the Babuk ransomware-as-a-service (RaaS) gang prepared a goodbye note saying that they’re hanging up its spurs.

According to BleepingComputer, the message was short, sweet and rapidly blinked out of existence after being up for just a short time. That’s kind of like the gang, actually. The threat group had only been around for a few months before (potentially), now exiting stage left. Unlike the Ziggy ransomware gang during its recent exit, and unfortunately for its victims, the Babuksketeers offered neither apologies nor refunds.

Babuk did, however, promise to pass the torch on to other criminals by open-sourcing the source code for the Babuk file-encrypting malware, saying that it would make it publicly available once it terminated the “project.”

The message, which had been posted for a short time on the main page of the gang’s site, was reportedly tweaked multiple times and was taken down after a short time. But Dmitry Smilyanets of Recorded Future did manage to capture this version of the goodbye letter:

The “PD” referred to in that version of the note is a clear reference to the cybercriminals’ most recent victim: the MPD. On Monday, the gang had posted what they claimed were arrested people’s mug shots and personal details, police reports, and internal memos. The fact that they repeatedly fiddled with the message opens the door to the possibility that the crooks might not be ready quite yet to stop plaguing the world, though.

Specifically, in one version of the message seen by BleepingComputer, there was no reference to “PD.” Instead, there were just asterisks, like the blank spaces left in the template of a form that can be filled in later as need be.

New to RaaS but Full of Virtue Signaling

Babuk is new to the RaaS game, having been discovered just earlier this year. It’s had plenty of impact, though: In just a few months, it went after at least five big enterprises, managing to score $85,000 after one of its victims coughed up the ransom. We don’t know which company paid up, but we do know of one public confirmation from a targeted company: Serco, an outsourcing firm, confirmed that it had been slammed with a double extortion ransomware attack in late January. That’s an attack in which the ransomware operators not only lock up files, but also steal data and threaten to leak it if the ransom isn’t paid.

When the gang first crawled out of the muck, it portrayed itself as a Robinhood wannabe. The Babuk operators said they wouldn’t attack hospitals, non-profits (unless they support LGBT or BLM, that is, presumably demonstrating their biases), small businesses (under $4 million USD in annual revenue: data they claimed to have gathered from Zoom) and schools (except for universities). Everybody else was fair game, including plastic surgery and dental clinics (presumably demonstrating that the operators may have suffered from poor dentistry or botched tummy tucks) and major universities.

Randy Pargman, a 15-year veteran of the FBI and current VP of Threat Hunting & Counterintelligence at Binary Defense, has been tracking Babuk from the get-go. He told Threatpost on Thursday that the operators behind the RaaS either truly don’t want to attack those entities, or they’re just putting on a public face, telling the world that hey, they’re not all that bad.

Babuk’s data leak site has likewise painted a picture of corporations being the evil one in the ransomware equation, whereas the operators are the good guys, what with their “auditing” of security profiles and “helping” organizations by uncovering their weaknesses.

The MPD attack was an example of the gang’s virtue signaling: In their demand note, the threat actors taunted the police by referring to having discovered a zero day before the MPD did.

Pargman doesn’t quite swallow either the virtue signaling or the truthfulness of the exit note. He suspects that threatening the metropolitan police department of the nation’s capitol may have brought on a bit more attention than the gang anticipated, coming from places that don’t take this stuff lying down. “They probably realized that the heat was turned up after they threatened the DC Metro PD, so they’re closing shop as Babuk, releasing their source code to enable copycats and cause confusion in attribution,” he said in a phone conversation. “After a period of time off, they will return with a new and improved version of their ransomware, claiming to be a brand new group that benefited from the public release of Babuk’s code but pretending that they are not related to Babuk at all.”

Particularly given the recent news about governments joining together to rub out the ransomware economy, Pargman says that it was only a matter of time before the Treasury Department decided to add Babuk to its sanctions list over the MPD attack. A sanction would have jeopardized all future revenue, since it would have cut the crooks off from the payment facilitation companies that they need to transfer bitcoin.

But the Treasury Department doesn’t sanction just anybody, Pargman noted. For one thing, it picks and chooses groups based on strong evidence identifying who’s behind the mayhem, vs. how the security industry relies on technical indicators of compromise.

Did Babuk Pick on the Wrong Guys?

Are the Babuk operators considering retirement because they were too successful for their own good? Successful, as in, big enough to put substantial hurt on individuals or entities, and then too, picking on the wrong targets? Pargman points to the Babuk gang’s apparent doxxing of police data as being the kind of crime that can put a stick in the spokes of police investigations, potentially leading to injury or even death. For example, if police informants’ identities were to be leaked in a double extortion attack on a law enforcement body, it could lead to criminals killing informants.

“I don’t know whether Babuk will become a target of a Treasury Department sanction or not,” Pargman said. “What I do anticipate is that the results from the data leaks from the [MPD] and whatever results [from those leaks] will probably be the biggest determining factor of whether they’ll be sanctioned in the future or not. If they release a large amount of sensitive information that harms ongoing law enforcement investigations or tips off criminals or lets them know who informants are, and that leads to them getting killed, [that] could get the attention of the US government to find out who are the people behind that harm and to sanction them.”

A comparable situation happened in Germany last year: A patient died in September 2020 while in an ambulance that had been re-routed due to a hospital having been paralyzed by ransomware. Police launched a negligent-homicide investigation and said they might hold the hackers responsible: the first time that law enforcement had considered a cyberattack to be directly responsible for a death. It was subsequently determined that the patient died of other causes, leading a German prosecutor to drop the murder charge, but it still points to how much more seriously government bodies take cybercrime when human lives are at stake.

Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Source

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s