On September 28th, the ZeroFox Threat Intelligence team discovered a Babuk ransomware variant calling itself Delta Plus 2.3. The operator behind Delta Plus has recently made use of multiple other ransomware variants under the name Delta Plus as well. While no notable changes were made to the Babuk variant aside from modifying the file extension, the sample’s build date was just 10 days after the leak, highlighting how low the barrier to entry for running a ransom operation can be when given a complete solution.
Babuk Ransomware Explained
Babuk ransomware was first discovered in early January 2021. In its early days, victim leaks were published on underground criminal forums while the group worked to create their website. January to April 2021 saw several organizations fall victim to the group, including the Metropolitan Police Department of the District of Columbia. The attention from attacking the Metropolitan Police Department allegedly caused disagreements within the group over those who wanted to publish the leak and those who felt it went too far, eventually leading to a retirement announcement and split. Payload.bin, a site focused solely on extortion, was launched as a direct result of the fallout.
By the end of June, a compiled version of the Babuk ransomware builder had been published online by “biba99,” the same account responsible for publishing early victims to underground forums. Finally, on September 2nd, a user going by the handle “dyadka0220” published the full source code for the ESXI, NAS and Windows versions of the ransomware, decryptors and builder application.
Babuk Ransomware Delta Plus Variant
On September 28th, the ZeroFox Threat Intelligence team retrieved a malware sample tagged as Babuk ransomware. It matched several publicly available YARA signatures created to detect Babuk, but the sample was changing file extensions of encrypted files to “.delta” rather than “.babyk” like the group was known for. Because of the builder application getting published in June, anyone could generate new “Babuk” payloads with a custom ransom note. Even with this builder, however, the user was stuck with the .babyk file extension unless they modified the compiled binaries.
The second clear difference was the compilation timestamp. When using binaries from the leaked builder, all generated payloads appear to be built on March 23, 2021. The new sample had a compilation date of September 12, 2021.
Looking at the dropped ransom note, we can see that the actor decided to brand this ransomware as Delta Plus.The ransom demand is significantly smaller than the six and seven figure ransom amounts regularly demanded by the larger groups. In this case, the potential victim is demanded to pay $6500 US dollars in Bitcoin. If the victim contacts the provided email within 72 hours, the amount is halved to $3250.
By following the email address and Bitcoin wallet given in the ransom note, the ZeroFox Threat Intelligence team was able to discover more related samples. The actor behind Delta Plus did not appear to be attached to any one ransomware solution, as we discovered binaries compiled from .NET, and Delphi as well, while Babuk is written in the C programming language. Various notes dropped by these samples had ransom demands from $300 to $10,500 and mostly stuck to the Delta Plus name, though one sample was referred to as “Doydo.” Multiple email addresses and Bitcoin wallets were discovered to be in use by this actor.
As with the identification of any new ransomware variant or digital attack technique, it’s imperative that security teams have proactive protections in place to detect and respond to cyber attacks. The ZeroFox Threat Intelligence team recommends that all security teams:
- Ensure antivirus and intrusion detection software is up-to-date with all patches and rule sets
- Enable 2-factor authentication for all of your organizational accounts to help mitigate phishing and credential stuffing attacks
- Maintain regularly scheduled backup routines, including off-site storage and integrity checks
- Avoid opening unsolicited attachments and never click suspicious links
- Log and monitor all administrative actions as much as possible. Alert on any suspicious activity
- Review network logs for potential signs of compromise and data egress
The actor behind Delta Plus appears to be using various freely available ransomware products with the ability to drop custom ransom notes. With freely available ransomware builders and full source code to projects like Babuk available for anyone to download, the barrier to entry has been lowered. Skilled and low-skilled actors alike now have the ability to repackage ready-made solutions with minimal changes needed.
Indicators of Compromise