Babuk Locker Ransomware
The Babuk Locker Ransomware Ransomware is an extremely threatening and highly sophisticated malware geared towards infecting company networks mainly but can affect individual computers as easily. Users who fall victim to the Babuk Locker Ransomware will have their files encrypted with a potent combination of SHA256 hashing, ChaCha8 encryption, coupled with ECDH key generation and algorithm. In practice, this means that only the cybercriminals responsible for the threat have the necessary decryption keys and tools to restore the locked files potentially.
Babuk Locker Ransomware's has several different capabilities that facilitate its encryption process. The threat abuses the Windows Restart Manager to end processes that might interfere with its operations, for example, by having a specific file opened in the program and thus unable to be encrypted. Some of the processes targeted by Babuk Locker Ransomware are notepad.exe, sql.exe, outlook.exe, firefox.exe, dbsnmp.exe, ocssd.exe, isqlplussvc.exe, excel.exe. The threat also will delete the VSS (Volume Shadow Copy) default backups created by Windows. Furthermore, the ransomware will try to cause the maximum possible damage by seeking out and encrypting any remote drives connected to the infected system. Some private information also may have been exfiltrated by the threat to the servers of the hackers, as mentioned in Babuk Locker Ransomware's ransom note.
The ransom note itself is delivered in the form of text files named 'How To Restore Your Files.txt' that will be dropped in every folder containing encrypted data. The threat also will modify the original names of the files it encrypts by appending '.__NIST_K571__' as a new extension. As a communication channel with their victims, the hackers have established a dedicated website with a live chat function hosted on the TOR network.
The instructions delivered by the Babuk Locker Ransomware Ransomware are:
'----------- [ Hello! ] ------------->
****BY Babuk Locker Ransomware****
What happend?
----------------------------------------------
Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network.
Follow our instructions below and you will recover all your data.
If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web.
What guarantees?
----------------------------------------------
We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.
We guarantee to decrypt one file for free. Go to the site and contact us.
How to contact us?
----------------------------------------------
Using TOR Browser ( hxxps://www.torproject.org/download/ ):
hxxp://babukq4e2p4wu4iq.onion/login.php?id=8M60J4vCbbkKgM6QnA07E9qpkn0Qk7
!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.
!!! DANGER !!'
