- Apr 24, 2016
One of the main tasks of the Emsisoft research lab is to keep track of new ransomware families. Our main goal is always to find flaws and weaknesses that allow us to decrypt victim files without them having to pay the threat actors operating the ransomware, but as part of our research, we are often one of the first people to learn about serious bugs in ransomware families in general.
In this particular case, we found a severe issue within the Babuk ransomware strain that targets Linux and more specifically ESXi servers. ESXi is a popular virtualization platform offered by VMware. Virtualization platforms like ESXi have become a very lucrative target for many ransomware groups, like Defray/RansomExx, Darkside, and since recently also Babuk.
Babuk has been a relative newcomer in the wild west that is the current ransomware threat landscape. They first appeared at the beginning of 2021 and like most ransomware gangs initially focused exclusively on encrypting Windows systems. Over the past couple of months, however, they quickly evolved their platform to jump onto the growing trend of attacking Linux-based systems like ESXi as well.
Unfortunately, the velocity at which they evolved their platform came at the cost of quality. As a result, there are multiple fundamental design flaws within both the encrypting and decrypting parts of Babuk on ESXi, which can lead to serious and irreparable data loss.
One of the bugs within the actual Babuk ransomware on ESXi is, that files can be encrypted multiple times. Multiple encryption layers are a nuisance, but ultimately just mean that with some manual effort a victim can still decrypt their data by simply decrypting the ransomed data again and again until all encryption layers have been removed.
The second bug will cause Babuk to only rename files on an ESXi server, but not encrypt them. This wouldn’t be a huge issue if it wasn’t for the fact that the decryptor provided by the Babuk threat actors has no precautions in place to detect whether a file with the *.babyk extension is actually encrypted or not. It will blindly “decrypt” these unencrypted files, trashing them in the process.
Bugs like this within ransomware are unfortunately increasingly common and they are one of the reasons, why we are offering our ransomware expertise to any victim of ransomware in the form of our Ransomware Recovery Services, where we offer a free evaluation of your specific case to bring potential bugs and issues that may hinder your successful recovery to your attention, and also provide solutions and workarounds in form of our own superior recovery tooling for a fixed-price fee.
Last but not least, we want to once again emphasise how important it is to create backups or snapshots of your encrypted data first, before running any sort of decryption tool no matter what its source is. Without either of those safety measures in place, any small bug or any brief operational issue can lead to severe and irrecoverable loss of your data. We understand that after an extended downtime that inevitably follows any ransomware attack, there is immense pressure to get systems back up and operational again as soon as possible. But it is important to not give in to that pressure and throw all safety and precaution measures overboard. Both your company’s and your data’s survival may depend on them.