PSA: Severe bug in Babuk ransomware decryptor leads to data loss

One of the main tasks of the Emsisoft research lab is to keep track of new ransomware families. Our primary objective is always to find flaws and weaknesses that allow us to decrypt victim files without them having to pay the threat actors operating the ransomware, but as part of our research, we are often the first to learn about serious bugs in ransomware families in general.

In this particular case, we found a severe issue within the Babuk ransomware strain that targets Linux and more specifically ESXi servers. ESXi is a popular virtualization platform offered by VMware. Virtualization platforms like ESXi have become a very lucrative target for many ransomware groups, like Defray/RansomExx, Darkside, and Babuk.

Babuk is a relative newcomer in the wild west that is the current ransomware threat landscape. They first appeared at the beginning of 2021 and, like most ransomware gangs, initially focused exclusively on encrypting Windows systems. Over the past couple of months, however, they quickly evolved their platform to jump onto the growing trend of attacking Linux-based systems like ESXi as well.

Unfortunately, the velocity at which they evolved their platform came at the cost of quality. As a result, there are multiple fundamental design flaws within both the encrypting and decrypting parts of Babuk on ESXi, which can result in permanent data loss.

One of the bugs within the actual Babuk ransomware on ESXi is that files can be encrypted multiple times. Multiple encryption layers are a nuisance, but ultimately just mean that with some manual effort a victim can still decrypt their data by simply decrypting the ransomed data again and again until all encryption layers have been removed.

The second bug will cause Babuk to only rename files on an ESXi server, but not encrypt them. This wouldn’t be a huge issue if it wasn’t for the fact that the decryptor provided by the Babuk threat actors has no precautions in place to detect whether a file with the *.babyk extension is actually encrypted or not. It will blindly “decrypt” these unencrypted files, trashing them in the process.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

Last but not least, we want to once again emphasise how important it is to create backups or snapshots of encrypted data first, before running any sort of decryption tool no matter what its source is. Without either of those safety measures in place, any small bug or any brief operational issue can lead to permanent loss of data. We understand that after an extended downtime that inevitably follows any ransomware attack, there is immense pressure to get systems back up and operational again as soon as possible. But it is important to not give in to that pressure and throw all safety and precaution measures overboard. Both your company’s and your data’s survival may depend on them.

Fabian Wosar

Fabian Wosar

Emsisoft's CTO and both cat and polar bear lover.

What to read next