Babuk Locker Ransomware Support Topic (.babyk; How To Restore Your Files.txt)

Avast Threat Labs created and released a free Babuk Decryption tool using leaked source code and leaked decryption keys for victims with files encrypted by the following extensions: .babuk, .babyk, .doydo.

• Babuk Decryptor download link

Cisco Talos obtained a decryption tool for the Tortilla variant of Babuk in January 2024 after the criminal was arrested.
Avast Threat Labs updated Babuk Ransomware Decryptor in January 2024.
 
 
 
A threat actor has begun to utilize a leaked Babuk Locker ransomware builder to launch a new 'Babuck Locker' campaign targeting victims all over the world.
 
The ransomware will append the .babyk extension to encrypted files and drop a ransom note named How To Restore Your Files.txt.
 
The threat actor is asking for .006 bitcoins to be sent to a bitcoin address and has provided a email address of babuckransom@tutanota.com.
 
If you were hit by this ransomware, please share how you were infected.

 I had contact with someone who has been infected with this new ransomware.

Have anyone come across this version of ransomware where file extension got changed to .babyk.

It's Babuk ransomware; not decryptable, and they've had many bugs with their code that causes data corruption.

@lovalim

Your topic has been merged into the primary support topic.

Me again, got hit by the ransomware for the third time this year.

please help, i had checked some text file which got encrypted, seems only the header and footer had been added/encrypted.

thanks!

Edited by terry5285, 30 December 2021 - 04:55 AM.

Is .cyber the full appended extension or is there an .[email], an ID number with random characters (.id-A04EBFC2, .id[4D21EF37-2214]) or an ID number with an email address (.id-BCBEF350.[<email>], .id[7A9B748C-1104].[<email>], _ID_<id***>_<email>) preceding the extension?
 
Did you find any ransom notes? If so, what is the actual name of the ransom note?
Can you provide (copy & paste) the ransom note contents in your next reply?
 
Please submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomware which adds a prefix instead of an extension and more accurately identifies ransomware by filemarkers if applicable. Uploading both encrypted files and ransom notes together along with any email addresses provided gives a more positive match with identification and helps to avoid false detections. Please provide a link to the ID Ransomware results.

the name of the ransom notes is Restore Files.txt

IDR said this ransomware is Babuk.

Can you provide (copy & paste) the ransom note contents in your next reply?

Avast Threat Labs created and released a Babuk Decryption tool using leaked source code and leaked decryption keys for victims with files encrypted by the following extensions: .babuk, .babyk, .doydo.

Unfortunately, there is no known method that I am aware of to decrypt files encrypted by newer variants of Babuk (Babuk Locker) Ransomware without paying the ransom and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the criminal's master private key that can be used to decrypt your files, decryption is impossible. That usually means the private key is unique (specific) for each victim and generated in a secure way (i.e. RSA, AES, Salsa20, ChaCha20, ECDH, ECC) that cannot be brute-forced...the public key alone that encrypted files is useless for decryption. 
 
If feasible, your best option is to restore from backups, try file recovery software to recover (not decrypt) some of your original files or backup/save your encrypted data as is and wait for a possible solution at a later time. 
 
I will merged your topic into the primary support topic.

Hi All,

Our ESXi Server was attacked from ransomware .XVGA extension.

That's attacked for all files in our Datastore. please see attached for information.

Please help how to investigate _/\_

When did this attack happen?

Contents of HowToRestore.txt

 

Looks like New ESXi attack. 

 

When did this attack happen?

 

Contents of HowToRestore.txt

============================================ 

=================WARNING!=================== 

====YOUR SECURITY PERIMETER WAS BREACHED==== 

============================================ 

  

Over 500 gigabytes of highly sensitive files 

were stolen from your network . You can read 

the full stolen data sheet and get the proof 

in the dialogue with us. 

 

Don't modify, rename, copy or move any files 

or you can DAMAGE them! 

Shutdown or Reset your system, it can DAMAGE 

files! 

 

If no contact with us or deal made in 3 days 

decryption key will be deleted permanently   

and all your data will be sold! 

============================================ 

For contact us use this mailbox: 

 

 spaceit@techmail.info 

 itlab@cyberfear.com 

 

Your decryption ID: OTvPYpaJcjQwD7tBYpiel3yb 

 

 

 

It's happen on 13 March, the ransomware encrypted every file inside datastore

Yours looks like the only report thus far.

An Internet search only reveals this topic.