S0638: Babuk
Analyst context for executives and security teams
Babuk matters because ATT&CK describes it as ransomware-as-a-service used against major enterprises, with both encryption and data-leak extortion in scope. For leaders, the decision value is not a single malware name; it is whether the organization can see and contain the ransomware sequence: discovery of services, processes, files, network connections, shares, and storage, followed by attempts to impair defenses, stop services, inhibit recovery, and encrypt data on Windows and Linux systems.
Executive priority
Treat this as a resilience and incident-readiness use case. Executives should ask whether critical Windows and Linux assets, file shares, backup/recovery paths, and security tooling are monitored well enough to detect discovery and impact behaviors before encryption becomes widespread. Priority should go to evidence that backups are recoverable, recovery features cannot be easily disabled, security tools are protected from tampering, and SOC/IR teams have playbooks for ransomware with possible data-extortion pressure.
Technical view
ATT&CK provides no standalone detection text for Babuk, so validation should be built from its mapped behaviors. SOC and detection teams should test coverage for command shell execution, native API-heavy execution, packed or obfuscated binaries, deobfuscation activity, service/process/network/share/file/storage discovery, service stopping, recovery inhibition, defense tool modification, and data encryption. Because the object is scoped to Windows and Linux, coverage should be confirmed separately across both operating environments rather than assumed from one platform.
Likely telemetry
- Endpoint process creation and command-line logging for Windows and Linux
- Service control and service state-change events
- Process enumeration and termination events
- File, directory, network share, and local storage enumeration activity
- Network connection listings and host network telemetry
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on a Babuk signature alone, especially T1486, T1489, T1490, and T1685 for impact and defense impairment.
- Correlate discovery behaviors across services, processes, network connections, shares, files, and storage; individually these can be administrative, but clustering before encryption is higher value.
- Tune false positives around legitimate administration, backup operations, software deployment, and security tool maintenance by using change windows, admin identity context, and affected asset criticality.
- Validate visibility on Linux as well as Windows, since the ATT&CK object lists both platforms.
- Include packed or obfuscated executable handling in triage workflows, but do not treat packing alone as sufficient evidence of Babuk.
Mitigation priorities
- Prioritize tested, isolated, and recoverable backups, with monitoring for attempts to delete or disable recovery mechanisms.
- Harden and monitor security tools and logging agents against stopping, tampering, or configuration changes.
- Restrict and monitor administrative capabilities that can enumerate shares, stop services, modify recovery settings, or affect broad file storage.
- Segment and control access to high-value file shares and critical Linux/Windows servers to reduce blast radius.
- Prepare ransomware IR procedures that include containment, preservation of evidence, backup validation, business decision support, and data-extortion communications governance.
Analyst notes and limits
The strongest relationship-driven signal is the combination of discovery, defense impairment, recovery inhibition, service stopping, and encryption. Babuk is described by ATT&CK as RaaS with a Big Game Hunting approach and leak-site extortion, so business stakeholders should include legal, communications, privacy, and continuity teams in ransomware readiness planning.
ATT&CK does not provide Babuk-specific detection guidance in the supplied object. The object lists Windows and Linux platforms but no explicit tactics field; tactical interpretation here comes from the supplied relationships. Local telemetry quality, asset criticality, administrative baselines, and backup architecture are required to assess real coverage.
Babuk
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685 | Disable or Modify Tools | Babuk can stop anti-virus services on a compromised host.CitationSogeti CERT ESEC Babuk March 2021 |
| Enterprise | T1049 | System Network Connections Discovery | Babuk can use “WNetOpenEnumW” and “WNetEnumResourceW” to enumerate files in network resources for encryption.CitationMcAfee Babuk February 2021 |
| Enterprise | T1106 | Native API | Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.CitationSogeti CERT ESEC Babuk March 2021CitationMcAfee Babuk February 2021CitationMedium Babuk February 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Babuk has the ability to unpack itself into memory using XOR.CitationSogeti CERT ESEC Babuk March 2021CitationMedium Babuk February 2021 |
| Enterprise | T1486 | Data Encrypted for Impact | Babuk can use ChaCha8 and ECDH to encrypt data.CitationSogeti CERT ESEC Babuk March 2021CitationMcAfee Babuk February 2021CitationMedium Babuk February 2021CitationTrend Micro Ransomware February 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Versions of Babuk have been packed.CitationSogeti CERT ESEC Babuk March 2021CitationMcAfee Babuk February 2021CitationMedium Babuk February 2021 |
| Enterprise | T1489 | Service Stop | Babuk can stop specific services related to backups.CitationSogeti CERT ESEC Babuk March 2021CitationMcAfee Babuk February 2021CitationTrend Micro Ransomware February 2021 |
| Enterprise | T1490 | Inhibit System Recovery | Babuk has the ability to delete shadow volumes using |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Babuk has the ability to use the command line to control execution on compromised hosts.CitationSogeti CERT ESEC Babuk March 2021CitationMcAfee Babuk February 2021 |
| Enterprise | T1135 | Network Share Discovery | Babuk has the ability to enumerate network shares.CitationSogeti CERT ESEC Babuk March 2021 |
| Enterprise | T1007 | System Service Discovery | Babuk can enumerate all services running on a compromised host.CitationMcAfee Babuk February 2021 |
| Enterprise | T1057 | Process Discovery | Babuk has the ability to check running processes on a targeted system.CitationSogeti CERT ESEC Babuk March 2021CitationMcAfee Babuk February 2021CitationTrend Micro Ransomware February 2021 |
| Enterprise | T1680 | Local Storage Discovery | Babuk can enumerate disk volumes, get disk information, and query service status.CitationMcAfee Babuk February 2021 |
| Enterprise | T1083 | File and Directory Discovery | Babuk has the ability to enumerate files on a targeted system.CitationMcAfee Babuk February 2021CitationTrend Micro Ransomware February 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 766246acbed9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Sogeti CERT ESEC Babuk March 2021
Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
Open source URL -
[2]
McAfee Babuk February 2021
Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
Open source URL -
[3]
CyberScoop Babuk February 2021
Lyngaas, S. (2021, February 4). Meet Babuk, a ransomware attacker blamed for the Serco breach. Retrieved August 11, 2021.
Open source URL -
[4]
Babyk
(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: Trend Micro Ransomware February 2021)
-
[5]
Trend Micro Ransomware February 2021
Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
Open source URL -
[6]
Vasa Locker
(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)
-
[7]
mitre-attack S0638Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.