What is Babuk Locker Ransomware
Discovered by a malware researcher named Glacius_, Babuck Locker (a.k.a. Vasa Locker, Babyk Locker, Babuk Locker) is a ransomware-type virus that targets commercial organizations including business ventures with turnovers equal to 4.000.000$. All because it demands a ransom of 60000-85000$ in BTC to be paid in exchange for the encrypted data. To make sure their victims are unable to decrypt them independently, cybercriminals use a combination of SHA252, ChaCha8, and ECDH algorithms to run secure encryption. Babuck Locker developers run extensive distribution campaigns to cover as many victims as possible. This is why users are also likely to witness other versions derived from Babuck Locker (e.g. Babyk, Vasa, etc). Depending on which version attacked the compromised network, victims will see different extensions applied to encrypted files. Normally, it is .__NIST_K571__; .babyk, or .babuk assigned to each data piece. For instance, a file like 1.pdf
stored on a malware-affected device, will change its look to 1.pdf.__NIST_K571__
, 1.pdf.babyk
, or 1.pdf.babuk
at the end of encryption. Then, as soon as this stage of infection is done, the virus creates a text note called How To Restore Your Files.txt (in some cases DECR.TXT) to each folder with encrypted data.
--------------- Hello ---------------
*** By BABUCK LOCKER ***
Your computers and servers are encrypted, and backups are deleted.
We use strong encryption algorithms, so no one has yet been able to decrypt their files without our participation.
The only way to decrypt your files is to purchase a universal decoder from us, which will restore all the encrypted data and your network.
Follow our instructions below, and you will recover all your data:
1) Pay 0,006 bitcoin to 1E6cvG6iEbufvYspsDa3XQ3WJgEMvRTm9i
2) Send us message with transaction id to babuckransom@tutanota.com
3) Launch decryptor.exe, which our support will send you through email
What guarantees?
------------------
We value our reputation. If we will not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is tested by time and will decrypt all your data.
------------------
!!! DO NOT TRY TO RECOVER ANY FILES YOURSELF. WE WILL NOT BE ABLE TO RESTORE THEM!!!
----------- [ Hello! ] ------------->
******BY VASA LOCKER******
What happend?
----------------------------------------------
Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network.
Follow our instructions below and you will recover all your data.
If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web.
What guarantees?
----------------------------------------------
We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.
We guarantee to decrypt one file for free. Go to the site and contact us.
How to contact us?
----------------------------------------------
Using EMAIL:
1) Open your mail
2) Write us: babukrip@protonmail.ch
YOUR PERSONAL ID, ATTACH IT:
[redacted] !!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.
!!! DANGER !!
----------- [ Hello! ] ------------->
****BY BABUK LOCKER****
What happend?
----------------------------------------------
Your computers and servers are encrypted, backups are deleted from your network and copied. We use strong encryption algorithms, so you cannot decrypt your data.
But you can restore everything by purchasing a special program from us - a universal decoder. This program will restore your entire network.
Follow our instructions below and you will recover all your data.
If you continue to ignore this for a long time, we will start reporting the hack to mainstream media and posting your data to the dark web.
What guarantees?
----------------------------------------------
We value our reputation. If we do not do our work and liabilities, nobody will pay us. This is not in our interests.
All our decryption software is perfectly tested and will decrypt your data. We will also provide support in case of problems.
We guarantee to decrypt one file for free. Go to the site and contact us.
How to contact us?
----------------------------------------------
Using TOR Browser ( https://www.torproject.org/download/ ):
http://babukq4e2p4wu4iq.onion/login.php?id=8M60J4vCbbkKgM6QnA07E9qpkn0Qk7
!!! DANGER !!!
DO NOT MODIFY or try to RECOVER any files yourself. We WILL NOT be able to RESTORE them.
!!! DANGER !!!
This note is meant to guide victims through decryption instructions. At first, it is said that all computer-related networks have been encrypted. Cybercriminals also inform that all shadow copies kept on your system have been deleted as well. After bringing the victims down to mental distress, they are trying to uplift the mood by saying there is a way out. Specifically, to buy a decryption tool sold by extortionists. The price and further details are yet to be negotiated via the link attached to the note. Unless you contact cyber criminals soon after getting infected, they will start sharing your data on dark web resources. Babuck Locker Ransomware makes sure it has all the stored data uploaded to external servers to elevate the pressure on victims. This is done with the help of a software piece known as Doxware. Babuck Locker developers employ military-grade algorithms, which prevent any third-party software from decryption the data for free. Thus, cybercriminals are the only figures capable of recovering all of the data. The only way to return data for free is using backup copies that were created and stored externally before the infection. However, even if you do so, there still will be a risk of getting publicly exposed to the entire media. All private data can be leaked and therefore sold to third-party figures who might capitalize on such data. Despite Babuck Locker keeps its focus set on rich organizations, it may also spread on regular users. Whatever the case, it is important to get rid of the Babuck Locker or similar ransomware to avert its dangerous presence. Whether to pay the ransom or not is a decision to be carried solely on your shoulders. It is a shame that innocent users and organizations get trapped into such pitfalls quite often, but this is the reality of malware nowadays. You can follow our guide below to learn removal instructions in detail.
How Babuck Locker Ransomware infected your computer
Ransomware programs do not have a single distribution vector. As a rule, there is a couple of basic methods employed by most malware developers. This list includes e-mail spam letters with malicious attachments, fake software updates, malicious installers, backdoors, keyloggers, trojans, unprotected RDP configuration, NAS (Network Attached Storage) attacks, and more to stretch out this list. E-mail spam is a tricky distribution method that has been used by extortionists for a pretty long time. It has found a lot of success thanks to extensive e-mail usage. As most people have it set up for daily and work purposes, they may be exposed to meeting a virus infection. Cybercriminals send a number of scripted messages that are disguised as legitimate company letters (e.g. DHL, FedEx, DPD, etc.). Due to inexperience or personal inattentiveness, users believe in their trustworthiness and open the files that are attached to them. Most often victims have reported seeing files with .docx, .pdf, .js, .exe, .zip, or .rar extensions. Some users may treat them as something innocent, yet it is important to know that all files can be reconfigured to contain a virus infection. This is why it is important to avoid such content attached to a pointless message. Never open or download files categorized as spam, otherwise, you may end up paying a huge price for that kind of omission. Below, you can find a list of advice on how to protect yourself against such threats in the future.
- Download Babuck Locker Ransomware Removal Tool
- Get decryption tool for .babyk or .babuk files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like Babuck Locker Ransomware
Download Removal Tool
To remove Babuck Locker Ransomware completely, we recommend you to use SpyHunter 5. It detects and removes all files, folders, and registry keys of Babuck Locker Ransomware. The trial version of Spyhunter 5 offers virus scan and 1-time removal for FREE.
Alternative Removal Tool
To remove Babuck Locker Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of Babuck Locker Ransomware and prevents future infections by similar viruses.
Babuck Locker Ransomware files:
How To Restore Your Files.txt
DECR.txt
ecdh_pub_k.bin
BABUK.exe
malware.exe_.exe
{randomname}.exe
Babuck Locker Ransomware registry keys:
no information
How to decrypt and restore .babyk or .babuk files
Use automated decryptors
Download Kaspersky RakhniDecryptor
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .babyk and .babuk files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .babyk or .babuk files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing of files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with Babuck Locker Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .babyk or .babuk files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like Babuck Locker Ransomware, in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storages, such as hard drives, SSDs, flash drives, or remote network storages can be instantly infected by the virus once plugged in or connected to. Babuck Locker Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.