Washington Police Department Pwn3d by Ransomware Group Babuk
So it’s all over the news outlets, a police department (Washington DC PD) has been hit by a ransomware syndicate, Babuk. So firstly, let’s be realistic everyone can get pwn3d and at this time our thoughts go out to those affected and to the teams working the response. Being hit by ransomware is NOT fun and not something we would wish upon anyone. That being said this isn’t an ambulance chase, what I want to do hear is look at the TTPs from Babuk in a bit more detail so hopefully we can help inform and educate people so they can strengthen their security postures.
Who are Babuk
According to McAfee and other sources Babuk are a Russian speaking ransomware syndicate:
The Attack Chain
Their initial access methods appear to be based on phishing, exploiting public facing services and using valid accounts. Not a shocker but they are known to attack exposed remote desktop services (oh what a shock they aren’t gaining a foothold using weak TLS! That’s in a joke about snake oil pushers crying about TLS weaknesses and linking that to ransomware, it’s FUD anyway…).
So key points here:
- Speak Phishing
- Exposed Services such as RDP
- Leveraging Valid Accounts
Defending Against Initial Access Vectors used by Babuk
Ok let’s not waste time, let’s look at some high level defensive controls we can put in place:
|Phishing & Spear Phishing||
|Exploit Public-Facing Application||
As you can see this should be fairly foundational security capability. The challenge is, what the marketing world says, what people believe and the reality in peoples networks and systems are often world apart.
Privesc and Lateral Movement
Now this should go without saying but let’s cover off some basic hygiene and security harding:
- Ensure your systems are up to date with the latest OS, application and firmware
- Ensure you have deployed hardened configurations
- Restrict unrequired services
- Use administrator jump boxes and harden the host based firewalls and network based controls to restrict remote administration
- Segment your networks
- Ensure you have visibility, monitoring and alerting
- Harden active directory, honestly we see so many AD’s where they are running configurations left over from Windows Server 2003 and criminals can get DA in minutes let alone hours
- Endpoint Detection and Response investments are going to pay dividends here
- Deploy Sysmon, even if you have an EDR solution the extra telemetry never hurt anyone
Common lateral movement protocols
Ok so toolset they are known to use include:
Remember a threat actor is going to follow the principal of “become the admin”. They will use the same tools you use to manage your network against you. They will attempt to disable security controls and will attempt to spread into your network.
Ransomware gangs such as Babuck also appear to be leveraging extortion so ideally you don’t want them or anyone like them in your nets to start with. You do however need to consider this: If your backups are secure then the ransomware component will be a failure for the criminals, so make sure you have non production domain joined backups, ensure they are on immutable storage (this maybe offside, cloud based or locally on hardened environments). So key here is to make their life harder not easier.
It’s not too late
Remember if you know of weaknesses it doesn’t mean that have to stay that way. This post is a really light view on how you can take steps to defend your networks from common ransomware kill chains.
This isn’t the first time we’ve talked about defending against ransomware so here’s some links to both our content and other content to help you defend:
Things to do before you conduct a ‘red team’ assessment
Ransomware from an RDP Vector
The NCSC, NIST and whole range of organisations have got treat tools, tips and guiance to help you defend. The key part of the journey is taking the first step! It’s better to invest now than regret it later, a few GPOs here, a few ACLs there and you can greatly improve your security posture.
Helping defend against cybercrime, from your friendly hacker team
Hopefully this blog helps inspire you to review and harden your security posture, we love helping people both with our content and our community CTF games but If you are struggling with getting ahead of the game don’t fret, we’ve got your back. We both pwn and defend networks to help you improve your postures, so if you need some help we aren’t far away: