diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 53f20ba..3af29be 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -13964,6 +13964,16 @@ "uuid": "6955c28e-e698-4bb2-8c70-ccc6d11ba1ee", "value": "WastedLocker" }, + { + "description": "Since this is the first detection of this malware in the wild, it’s not surprising that Babuk is not obsfuscated at all. Overall, it’s a pretty standard ransomware that utilizes some of the new techniques we see such as multi-threading encryption as well as abusing the Windows Restart Manager similar to Conti and REvil. For encrypting scheme, Babuk uses its own implementation of SHA256 hashing, ChaCha8 encryption, and Elliptic-curve Diffie–Hellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt files. Like many ransomware that came before, it also has the ability to spread its encryption through enumerating the available network resources.", + "meta": { + "refs": [ + "http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/" + ] + }, + "uuid": "c52a65d5-9bea-4a09-a81b-7f789ab48ce0", + "value": "Babuk Ranomsware" + }, { "description": "Darkside, the latest ransomware operation to emerge has been attacking organizations beginning earlier this month. Darkside’s customized attacks on companies have already garnered them million-dollar payouts.\nThrough their “press release”, these threat actors have claimed to be affiliated with prior ransomware operations making millions of dollars. They stated that they created this new product to match their needs, as prior products didn’t.\n Darkside explains that they only target companies they know that can pay the specified ransom. They have allegedly promised that they will not attack the following sectors. They include medicine, education, non-profit organizations, and the government sector.", "meta": { @@ -14017,5 +14027,5 @@ "value": "RansomEXX" } ], - "version": 90 + "version": 91 }