Babuk ransomware group emerges with new claims against US companies

Dive Brief:

The threat actors behind Babuk ransomware claim to have obtained more than 700 GB of data from the PDI Group, a defense and aerospace company based in Solon, Ohio, according to documents seen by Cybersecurity Dive. PDI Group did not return requests for comment.
The threat actor claims to have obtained sensitive data, including contracts, customer payment information and employee data, and has posted a number of documents online. The posted documents included images of a diagram, a non-disclosure agreement with a third-party firm and a threat to provide the information to foreign adversaries.
Babuk, which first emerged in January, has been one of the more active ransomware groups in the enterprise space this year, with attacks against five major organizations during the first half of January, according to McAfee researchers.

Dive Insight:

Researchers at Black Kite — who have been monitoring the group's activities and seen many of the posted documents — say the group is a "legitimate threat" and confirm that Babuk has aggressively threatened to share information, including to hostile nation states.

"Babuk usually finds its way to target systems like ESXi or NAS devices through breached credentials and exploiting the vulnerabilities on these devices," said Paul Paget, CEO at Black Kite. "They also sell or share their products with the cybercriminal community through 'affiliate programs.'"

The New Jersey Cybersecurity and Communications Integration Cell put out an alert on Babuk in early January, calling it the first new ransomware variant of 2021.

Babuk was initially observed in early January by security researcher Chuong Dong, a Georgia Tech student, who said the threat actor used fairly standard techniques, including multithreading encryption and Windows Restart Manager.

In late February, McAfee issued a report on Babuk, noting that the group launched attacks on at least five large enterprises over the first two weeks in January and was able to get $85,000 in payment from at least one of the targets.

The group's codebase and artifacts were similar to a prior ransomware family called Vasa Locker. Babuk's targets included companies in transportation, healthcare, plastics and other sectors across a wide geographic area, including the U.S., Western Europe, Asia and Southern Africa.

"Initially Babuk was new to the game, but showed that they were serious by being agile in their development," John Fokker, principal engineer and head of cyber investigations for McAfee Advanced Threat Research said.

He added that Babuk has recruited affiliates linked to more established ransomware families.

The Babuk group has positioned itself as more of a white hat type of hacker, claiming they do not target schools, non-profits, hospitals or small businesses, according to Trend Micro. However other evidence shows the group has expressed some hostility towards Black Lives Matter and LGBTQ communities, according to McAfee.

The threat comes at a time of heightened ransomware activity due to the alleged nation-state attack on Microsoft Exchange Server, which left tens of thousands of U.S. companies scrambling to patch vulnerable on-premises systems after the vulnerabilities were publicly disclosed.

Microsoft released a new update Thursday that outlined new activity stemming from the Exchange server vulnerabilities. These include DoejoCrypt, a variant of the Chopper web shell that was deployed after the Exchange server exploits.

Pydomer ransomware, which was previously observed taking advantage of vulnerabilities in Pulse Secure VPN, has been observed in the recent wave, according to Microsoft.

Company officials did not return a request for comment and a Pentagon spokesperson was looking into claims to see if there would be any comment. Officials from the FBI and Cybersecurity & Infrastructure Security Agency did not return requests for comment.