A new version of the Babuk Ransomware builder has been detected by security researchers on VirusTotal that is continuing its mal operations.

Babuk ransomware still operating?

In what appears as a prolongation of their ransomware activities after signaling that they were getting out of the business, the operators of the Babuk ransomware have lapsed back into old habits with a new attack on corporate networks.

According to security researchers at Malwarebytes, a new Babuk ransomware builder is at play and is particularly used to create the ransomware’s unique payloads and decryption module.

The malicious ransomware was last observed back in late 2020 when the Washington DC Metropolitan Police Department (MPD) was attacked. This led to the private data of numerous MPD personal getting leaked.

Also read,

However, shortly after that, operators of the Babuk ransomware announced that their operations had been suspended.

But, in the previous week, security researcher Kevin Beaumont was able to detect the malicious gang’s source code on VirusTotal.

VirusTotal is a free service that analyzes files and URLs for viruses, worms, trojans, and other kinds of malicious content. The service operates through collaboration between members of the antivirus industry, researchers, and end-users of all kinds.

In a tweet, Beaumont provided that the new version consisted of a builder that would create ransomware for Windows, VMware ESXi virtual machines, and network-attached storage based on x86 and ARM architectures.

Peculiar case of ending up on VirusTotal :

However, another security researcher at Malwarebytes, Pieter Arntz, says it is particularly confusing the fact that the builder ended up on VirusTotal given that the website is most times used to check whether a file is malicious or not.

“But it has been a while since malware authors were dunce enough to upload their work to VT to check whether it would be detected by the anti-malware industry or not,” he adds.

“The vendors that cooperate on VT have access to any files uploaded there. So, if their freshly created malware was not detected immediately, it would be soon after. Since those days, malware authors have their own services to run these checks without sharing their work with the anti-malware vendors.”

He is also of the opinion that by uploading the code to VirusTotal, the threat actors essentially made the source code publicly available.

There were a few possible reasons for doing this. Either someone received or found the file and did not trust it, so they checked it for malware on VT; someone wanted to destroy the Babuk operation by throwing their builder under the (VT) bus: or the Babuk operators chose this as an odd way to make the source code available, according to Arntz.

Another assumption by Arntz states that in some way, researchers were able to find numerous flaws in the encryption and decryption of the Babuk ransomware code which become apparent when an attack contains ESXi servers and they are severe enough to result in a total loss of data for the victim.