Ransomware 2021 – Babuk Locker

Hello Everyone,

After an awful year of the decade due to Covid-19 We all are advised to be careful by adhering preventive measures. But Still we are not safer in our cyber space from the dangerous Malware Ransomware.

Yes, First Ransomware of 2021 hits the world with the name of Babuk Locker in the very first week of the decade.
Though it targets only small list of victims around the world but it does its usual job of encrypting the Victims data for a ransom of $60,000 to $85,000 in bitcoin.

How it Works?
Babuk Locker is an executable analyzed by a security researcher Chuong Dong who effectively analyzed the new Ransomware Babuk Locker’s coding is very incompetent to other ransomwares but includes secure encryption that fend off the victims from retrieving their files without any ransom paid.

It is employed with the strong encryption scheme that uses Elliptic-curve Diffie-Hellman algorithm proven as effective in attacking so far. In Addition Babuk uses its own Implementation of SHA256 hashing, ChaCha8 encryption to protect its keys and encrypt files said by the researcher Chuang Dong.

Threat actors somehow managed to made an amateur product at the end which can does its work somehow in okay range but not with a impact of encrypting the network shares first being controlled by the threat actors using a Command line Argument.

Babuk will terminate various Windows Services and Processes known to keep files open and prevent encryption it includes DB Servers, Mail Servers, Backup Softwares (We can’t do anything sadly), web Browsers, mail clients.

The Hardcoded Extension .__NIST_K571__. will be added to all the files as encrypted files. A Ransom Note will be also can be found in each folder named How To Restore Your Files.txt that contains mandatory information on what happened and what victim need to do after that.

Source : BleepingComputer

They also gave a Tor (Onion) link for ransom payment. where that link simply contains a chat screen where victim can negotiate a ransom with the threat actor.


The above mentioned url is the Url from the source BleepingComputer

“Unfortunately the use of ChaCha8 and Elliptic-Curve Diffie-Hellman(ECDH) makes the ransomware secure and could not be decrypted for free” said by Dong.

Only way to prevent ourselves from these kind of Ransomwares is to keep the previous generation backup regularly to keep our data safely.

Stay safe out there from covid-19. Stay Safe from Malware too.

Thank you, See you again in another one.

Table of Contents

Social Media