Five days into 2021, already a new form of ransomware has emerged: Babuk Locker.

First detailed Sunday by Chuang Dong, the ransomware uses its own implementation of SHA256 encryption called “ChaCha8” and also uses so-called Elliptic-curve Diffie-Hellman key generation to protect its keys and encrypt files. SHA256 is an encryption standard that has its roots with the U.S. National Security Agency, while ECDH is an anonymous key agreement scheme.

Bleeping Computer reported that Babuk Locker has amassed a small list of victims around the world with ransom demands varying between $60,000 and $85,000 in bitcoin. Each attack is said to be customized on a per victim basis including a hardcoded extension, ransom note and a Tor victim URL.

Typical of the most prevalent forms of ransomware last year, Babuk Locker includes the theft of data with the threat that if a ransom is not paid, the stolen data will be published online. Those behind Babuk Locker are currently publishing stolen data on a hacking forum rather than their own dedicated leak site.

“Babuk is the latest to hit the radar and it looks like the ‘threat actors’ spent all of their Christmas money on pieces of code that they cobbled together to create this ransomware,” Lamar Bailey, senior director of security research at cybersecurity firm Tripwire Inc., told SiliconANGLE. “Some of the code is well done and other areas, like multithreading, is elementary. I suspect they ran out of money to buy good code and instead, pieced together what they had with bubble gum and bailing wire.”

Bailey explained that if victims try to pay the ransom, they must upload files in a chat so that the hackers can make sure they can decrypt the files, and there’s likely a high failure rate. “Will they make money? Absolutely,” he said. “But like many fads, this will be a thing of the past in a few months and will not generate a lot of money long-term. Until then, stay away from 32 bit .exe files.”

Photo: Pixabay