New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker
In this entry, we give an overview of new ransomware discoveries. This includes a new ransomware family dubbed Seth-Locker, and developments in the variants Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker.
Save to Folio
Ransomware is in constant state of development — this is true not only of ransomware families that are big-game hunters or ransomware families that have a targeted approach in their campaigns, but also for new ones.
In this entry, we look into a new ransomware family dubbed Seth-Locker, which was discovered while at large and is still under development. We also enumerate developments in Babuk Locker, Maoloa, and a possible TeslaCrypt variant. Lastly, we note the appearance of a CobraLocker variant that is at large and uses a popular game as a disguise to attract the attention of unwitting victims.
New ransomware Seth-Locker
We discovered a new ransomware named Seth-Locker at large. An interesting feature of this new ransomware is its inclusion a few backdoor routines in its malicious files, together with its ransom routine. These backdoor routines that have been observed so far are the following:
- open_link for reading content from the command-and-control (C&C) server
- down_exec for downloading and execute a file
- shell to run a command line shell command
- locker to run the ransomware routine
- kill to terminate a process or itself
Once executed, the ransomware follows the typical routine of encrypting files and appending them with the suffix.seth, before dropping a ransom note.
As its code contains several rookie mistakes and oversights, we surmise that it is still under development. For example, malware commands are easily visible and repetitions of file extensions to be checked are in its code. Additionally, another tell-tale sign that it is still under development is that it lacks sophistication in hiding its routines and techniques. In the future, however, it would be possible to encounter an improved version of this ransomware.
Developments in Babuk Locker
Babuk Locker is also a new ransomware family and the first enterprise ransomware discovered in 2021. It initially identified itself as Vasa Locker in December 2020. Babuk Locker is proving to be a fast-evolving and active ransomware. Early into 2021, it had already attacked several companies, utilising the strategy of threatening to expose stolen information.
Even as a new ransomware-as-a-service (RaaS), its operations follow the methods of known targeted ransomware attacks. Its initial access likely involves compromised user accounts, exploitation of vulnerabilities, or malspam. Threat actors then move laterally to make an inventory of the victim’s network and important files since they exfiltrate data as part of their double extortion method. Afterward, they finally proceed to deploying their ransomware payload. In addition, they eventually post the exfiltrated data on a blog or a Tor site that they operate.
Babuk Locker utilises a ChaCha8 stream cypher for encryption and Elliptic-curve Diffie-Hellman (ECDH) for key generation, making the recovery of files without gaining access to the private key highly unlikely. Chuong Dong’s blog gives further details on how this malware operates.
What’s notable about Babuk Locker is the progression of its attacks and its threat actors’ use of a Tor site to communicate with their victims. The oldest and first sample that we observed involved sending a typical ransom email to their target. Meanwhile, the second variant of the ransomware that we encountered used a Tor site, which showed a screenshot of the data that the threat actors had stolen from their target. Based on this development, we can see how the group behind Babuk Locker is making their extortion methods more personalised and aggressive.
Certain aspects of Babuk Locker have similarities with other known ransomware. In particular, the ransom note is striking as it matches that used by DarkSide. This is evidenced in Figure 1, which suggests that these two ransomware families could be linked together. With regard to techniques, Babuk Locker also seems to have taken a page out of older ransomware like Conti, Ryuk, and Ragnar Locker. For example, like these older malware, it terminates processes and services that are related to applications, back-up software, endpoint security, and servers. Given how effective these known ransomware are, it is no surprise that Babuk Locker has mimicked some of their techniques.
Babuk Locker’s leak site offers more clues. For example, we observed how the leak site has been modified recently to announce that Babuk has now been rebranded to “Babyk.” The site also claims that the group behind the variant is not malicious, and that they aim to expose security issues in organisations.
Interestingly, the leak site also lists entities that are excluded from the group’s scope of interest. This list was present before the modification and is the first time that we have observed a ransomware variant showing this kind of discretion.
Based on its code, the latest sample that we saw is already the third version of Babuk, which involves a more personalised ransom note that directly addresses the victim organisation by name. It is likely that we will see more of this malware in the future, given the level of activity that we have described.
Possible TeslaCrypt disabling system security
The variant described here arrives through a spam email, which downloads a malicious binary that we detected as the ransomware TeslaCrypt. While Babuk is new, TeslaCrypt is an older ransomware family. Notably, TeslaCrypt’s key was released in 2016 so it should now be considered a defunct ransomware; however, a new variant seems to have emerged (detected as Ransom.MSIL.TESLACRYPT.THABGBA). At present, we do not have enough information to say why the ransomware has made a reappearance. Additionally, we are not ruling out the possibility that the sample is simply a copycat version of TeslaCrypt.
Whatever the case might be, a notable feature of this malware is how it downgrades its victim’s security. The malware initially disables Windows Defender before terminating a very long list of around 300 other services such as debuggers and security-related applications. Authors of this variant seem to be aiming to narrow down the availability of a recovery method for their victim’s system.
For a ransomware variant, we very rarely see this many security-related processes and applications being closed in a campaign.
Developments for Maoloa
A newer sample that we encountered (detected as Ransom.Win32.MAOLOA.THAAHBA) was packaged inside a 7-Zip SFX file. This variant also used the legitimate tools certutil.exe and Autoit script. All of these additions are evasion tactics that we have not observed in previous variants. The older Maoloa variants that we encountered used a bare, unpackaged, binary.
Once executed, the self-extracting archive carrying the Maoloa ransomware payload will drop four files as seen in Figure 6.
Among these files is the Maoloa ransomware which, once decrypted, will proceed with its encryption routine and dropping of ransom notes. Similar to past variants, this Maoloa sample’s appended extension is “.Globeimposter-Alpha865qqz” despite belonging to the Maoloa ransomware family and not GlobeImposter’s.
CobraLocker disguised as Among Us
Finally, part of our notable discoveries is a CobraLocker variant (detected as Ransom.MSIL.COBRALOCKER.B) that was found at large and that uses the popular game Among Us as a disguise to lure users. The file name used by this ransomware is “AmongUsHorrorEdition.”
If executed, it will run an image in line with the “horror” aspect of the file and will display the text “Do you want to play?” It will then run typical malicious activities, such as terminating cmd.exe, regedit.exe, and Process Hacker, as well as adding registries for persistence.
How to secure against ransomware?
As shown by these ransomware families, threat actors will continue to hone their malware to ensure the success of their campaigns, be it by placing heavier pressure on their victims to comply to their demands or simply better disguising their malicious activities to evade detection.
- Ransomware of the present is undergoing rapid changes that need to be observed and prepared for. Here are measures that users and organisations can use to protect themselves from ransomware:
- Create an effective back-up strategy by following the 3-2-1 rule.
- Adopt strong passwords throughout the network.
- Consider network segmentation to separate important processes and systems from the wider access network.
- Increase both your awareness and the awareness of the members of your organisation on how ransomware spreads (i.e., through spammed emails and attachments)
- Monitor and audit network traffic for any suspicious behaviours or anomalies.
Trend Micro solutions
Trend Micro solutions such as the Smart Protection Suite and Trend Micro™ Worry-Free™ Business Security Services solutions, which have behaviour monitoring capabilities, can protect users and businesses from these types of threats by detecting malicious files, scripts, and messages as well as blocking all related malicious URLs. Our XGen™ security provides a cross-generational blend of threat defence techniques against a full range of threats for data centres, cloud environments, networks, and endpoints. It infuses high-fidelity machine learning (ML) with other detection technologies and global threat intelligence for comprehensive protection from advanced malware.
Indicators of Compromise (IOCs)