ALPS blog

New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker

Original article Raphael Centeno, Monte de Jesus, Don Ovid Ladores, Junestherry Salvador, Nikko Tamana, Llalum Victoria

Ransomware is in constant state of development — this is true not only of ransomware families that are big-game hunters or ransomware families that have a targeted approach in their campaigns, but also for new ones. The article gives an overview of the characteristics and capabilities of the families.

New ransomware Seth-Locker

An interesting feature of the new Seth-Locker ransomware is that it includes some backdoor routines in its malicious files along with the ransomware routine. These routines include one to read content from the command-and-control (C&C) server, one to download and execute a file and a command line command, one to execute the ransomware routine and finally one to terminate a process or itself. More technical details are included in the original article.

Since the code has several rookie mistakes and oversights, it is likely that it is still under development. For example, malware commands are easily visible and repetitions of file extensions to be checked are present in the code. Another sign is the lack of sophistication in hiding its routines and techniques.

Developments in Babuk Locker

Babuk Locker is also a new ransomware family and the first enterprise ransomware discovered in 2021. It initially identified itself as Vasa Locker in December 2020. Babuk Locker is proving to be a fast-evolving and active ransomware. Early into 2021, it had already attacked several companies, utilizing the strategy of threatening to expose stolen information.

Even as a new ransomware-as-a-service (RaaS), its operations follow the methods of known targeted ransomware attacks. Its initial access likely involves compromised user accounts, exploitation of vulnerabilities, or malspam. Threat actors then move laterally to make an inventory of the victim’s network and important files since they exfiltrate data as part of their double extortion method. Afterward, they finally proceed to deploying their ransomware payload. In addition, they eventually post the exfiltrated data on a blog or a Tor site that they operate.

Certain aspects of Babuk Locker have similarities with other known ransomware. In particular, the ransom note is striking as it matches that used by DarkSide. This is evidenced in Figure 1, which suggests that these two ransomware families could be linked together. With regard to techniques, Babuk Locker also seems to have taken a page out of older ransomware like Conti, Ryuk, and Ragnar Locker. For example, like these older malware, it terminates processes and services that are related to applications, back-up software, endpoint security, and servers. Given how effective these known ransomware are, it is no surprise that Babuk Locker has mimicked some of their techniques. Further technical details can be found in the original article.

The Babuk Locker leak site offers further clues. The site announces a name change (Babyk) and claims that the group behind the variant is not malicious, but wants to uncover security problems in companies. Interestingly, the leak site also lists entities that are excluded from the group’s scope of interest. This list was already present before the change and is the first time we observe a ransomware variant showing this kind of discretion.

Image. The list of organizations exempted from Babuk’s attacks as posted on their leak site

Possible TeslaCrypt disabling system security

The variant described here arrives through a spam email, which downloads a malicious binary that we detected as the ransomware TeslaCrypt. While Babuk is new, TeslaCrypt is an older ransomware family. Notably, TeslaCrypt’s key was released in 2016 so it should now be considered a defunct ransomware; however, a new variant seems to have emerged (detected as Ransom.MSIL.TESLACRYPT.THABGBA). At present, we do not have enough information to say why the ransomware has made a reappearance. Additionally, we are not ruling out the possibility that the sample is simply a copycat version of TeslaCrypt.

Whatever the case might be, a notable feature of this malware is how it downgrades its victim’s security. The malware initially disables Windows Defender before terminating a very long list of around 300 other services such as debuggers and security-related applications. Authors of this variant seem to be aiming to narrow down the availability of a recovery method for their victim’s system.

Developments for Maoloa

The Maoloa ransomware was first seen in 2019. It is also one of the malware used in an attack on hospitals in Romania in July 2019. Maoloa has also been linked to the older GlobeImposter ransomware. The now discovered variant uses legitimate tools (certutil, Autoit) as an avoidance tactic. More technical details can be found in the original article.

How to secure against ransomware?

Today’s ransomware changes quickly, and users need to be prepared:

  • Create an effective back-up strategy by following the 3-2-1 rule.
  • Adopt strong passwords throughout the network.
  • Consider network segmentation to separate important processes and systems from the wider access network.
  • Increase both your awareness and the awareness of the members of your organization on how ransomware spreads (i.e., through spammed emails and attachments)
  • Monitor and audit network traffic for any suspicious behaviors or anomalies.

Trend Micro solutions

Trend Micro solutions such as the Smart Protection Suite and Trend Micro™ Worry-Free Business Security Services solutions, which have behavior monitoring capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Our XGen security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It infuses high-fidelity machine learning (ML) with other detection technologies and global threat intelligence for comprehensive protection from advanced malware.


Featured News