Skip Navigation
BlackBerry ThreatVector Blog

BlackBerry Prevents: Babuk Ransomware

First seen in early 2021, Babuk ransomware has most recently made headlines for using a Microsoft® Exchange servers’ ProxyShell vulnerability to deploy its malicious ransom payload. This is an attack method that has previously been used by ransomware groups such as Conti and LockFile.

The malware has primarily targeted Windows® devices by encrypting the victim’s files with an AES-256 algorithm. In April 2021, the Babuk group released a statement that they would be shifting their attack approach to include double extortion. In this technique, data is both locally encrypted and exfiltrated before a ransom demand is made, giving this the potential to be a lot more damaging than the traditional ransomware method.

To see how BlackBerry prevents Babuk attacks from occurring, check out the following video, and watch BlackBerry go head-to-head with a live sample of Babuk malware. 

DEMO VIDEO: BlackBerry vs. Babuk ransomware

Learn more about Babuk in our deep dive blog, Threat Thursday: Babuk Ransomware Shifts Attack Methods to Double Extortion.

Demo Video: How BlackBerry Stops Babuk

Let’s investigate this incident with two key BlackBerry® solutions: BlackBerry® Protect and BlackBerry® Optics. BlackBerry Protect is an endpoint protection product that uses our Cylance® AI machine learning model to stop threats before they can execute, providing users with pre-execution protection.

BlackBerry Protect also provides full details on the malicious file’s properties, with an exhaustive list of threat indicators identifying file anomalies, collection, and destruction capabilities.

BlackBerry Optics gives you full transparency into the attempted system compromise. With BlackBerry Optics, you can conduct automated root-cause analysis where you can clearly see the chain of activities conducted by the user that led to an attack attempt. Using BlackBerry Optics, you can identify the source domain for this attack and visualize all the related network interactions.

A third product, BlackBerry® Gateway, can sense and stop this type of malicious network activity by blocking the traffic based on IP reputation, effectively preventing the installation script from getting the malicious payload from the Internet. Using BlackBerry Gateway, the administrator of the affected system can easily analyze the event and obtain all the relevant data they need to see where the attack came from, and why BlackBerry products activated to stop the attack before it began.

Our Prevention-First Philosophy

At BlackBerry, we take a prevention-first and AI-driven approach to cybersecurity. Putting prevention first neutralizes malware before the exploitation stage of the kill chain.   

By stopping malware at this stage, BlackBerry solutions help organizations increase their resilience. It also helps to reduce infrastructure complexity and streamline security management, ensuring your business, people and endpoints are secure.   

Video transcription

“In our video this week we are going to analyze Babuk Ransomware, using a recent strain that has been analyzed in much greater detail on our Threat Thursday blog.

We have configured this machine in audit-only mode to allow this sample to run. As soon as we run the file, we can see that the malware is fast-acting and very quickly encrypts most of the system files, leaving the traditional ransom note.

We are now going to analyze our temporal predictive advantage. In this case, we have an agent with a Cylance AI model from October 2015, without any operating system updates or even an Internet connection.

If we try to execute the file that we previously executed, our endpoint protection product BlackBerry Protect can prevent it, pre-execution, years before this threat was created.

Taking into consideration that the Babuk source code has been used to generate hundreds of variants and custom ransomware, we decided to identify about 200 samples; 216 variants, to be exact. Let's see how BlackBerry Protect behaves against these threats.

As you can see, 200+ samples of Babuk ransomware variants are no match to our artificially intelligent math models.

Prevention is possible, with BlackBerry.”

The BlackBerry Research & Intelligence Team

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.