McAfee says Babuk decryptor does not work and corrupts victims’ data

by Emma Davis
April 22, 2022
Babuk decryptor not work
Written by Emma Davis

McAfee experts released a report in which they analysed the Babuk decryptor and reported that it does not work and corrupts victims’ data.

The researchers also analyzed the activities of the Babuk ransomware, and came to the conclusion that attempts to make the malware cross-platform and use it against Linux/UNIX and ESXi or VMware have failed.

Let me remind you that at the beginning of the year, the creators of Babuk reported that they had developed a version of the ransomware for *nix, since many backends in large companies do not run under Windows at all.

However, according to the researchers, the ransomware was written with many errors that “led to irreversible data corruption.”

It looks like Babuk ran a live beta test on its victims when it came to developing the Golang binary and decoder. We observed that several victims’ machines were encrypted without the possibility of data recovery due to a faulty binary and a faulty decryptor.write the McAfee experts.

Thus, even if the victim agrees to pay the ransom to the hackers, it will not be possible to decrypt the affected files. Experts hope that this will ultimately affect the relationship of Babuk developers with “partners” who are directly involved in attacks and infect networks of victims with malware. If victims would not get their data back even after paying the ransom, their rage will turn to Babuk’s “partners”.

Since destroying data instead of encrypting it is less profitable from the point of view of criminals, experts believe that the complete inoperability of the *nix version of Babuk and the decryptor that forced hackers to switch to data theft and extortion, abandoning encryption.

Let me remind you that earlier this year, Babuk’s operators announced that they were shutting down (after a loud attack on the Washington police department). It is believed that the hackers renamed their “leak site” to Payload.bin, and were ready to provide it to other criminals as a third-party hosting, where someone’s files can be leaked without starting their own site for this purpose, as well as a platform on which ransomware, access brokers and other criminals will be able to “meet”. Indeed, recently, almost all major hack forums have banned any discussion related to ransomware. However, it seems that the group is not doing very well, and the forum was unable to gain popularity, but was subjected to DDoS attacks and suffered from various bugs.

As for the failed Babuk decryptor, the researchers tell the following about it:

In general, the decryptor is bad because it only looks for the .babyk extension and skips any files the victim might have renamed in an attempt to recover them. In addition, the decryptor checks if the file is larger than 32 bytes, since the last 32 bytes are later combined with other hardcoded values to obtain the key. This is bad design, because those 32 bytes might be garbage, not a key.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending