In the US, an important military contractor recently incurred a ransomware attack.  The contractor, PDI Group, manufactures platforms that assist with weapons and machinery transport. They provide services to the US Air Force and militaries around the globe.

The operators of Babuk Locker managed to infiltrate PDI Group’s systems. The stolen data includes 700 GB worth of files. Among the files are internal network designs, and equipment schematics for military aircraft engine trailers.

Babuk Locker’s leverage

In the event that victims refuse to pay a ransom, ransomware extortionists often promise to leak information to an online ‘leak site’. Late last week, the Babuk Locker crew dumped 120 MB worth of data online. This data included purchasing records for over 350 past PDI Group clients.

Researchers found that the files also included unencrypted credit card details for past clients. The majority of the cards, however, appear to have long-since expired.

Ransomware attacks and the military contractor

In recent years, cyber criminals launched targeted campaigns directed towards military contractors. At least six different contractors have been implicated in attacks. The data housed within contractors’ systems represents valuable material for nation-state backed groups and others with dubious intent.

​A spokesperson for the REvil ransomware gang states that access to military-owned materials is not unheard of among hackers. “I know at the very least that several affiliates have access to…one US Navy cruiser…to a nuclear power plant…to a weapons factory,” stated the unnamed individual.

​The REvil representative continued, “As a weapon, [ransomware] can be very destructive…It is quite feasible to start a war. But it’s not worth it—the consequences are not profitable”.

The supply chain and the military contractor

​When a military contractor experiences a cyber breach, the downstream effects can be deleterious. What will we see in relation to this attack? Details are still unfolding.

Babuk Locker ransomware on the rise

One of the newest ransomware locker operators, the Babuk Locker cartel, emerged on the scene in early 2021. Thus far, the group has preyed upon at least five major enterprises, one of which paid $85,000 to recover files and to prevent a data dump. The victims hail from a smattering of different sectors, including bio tech and manufacturing.

As with other ransomware groups, Babuk Locker’s operators focus on ‘big game hunting’. “Despite the amateur coding practices used, its strong encryption scheme that utilizes Elliptic-curve Diffie—Hellman algorithm has proven effective…” says emerging expert Chuong Dong of Georgia Tech.

Research reports indicate that Babuk’s codebase and artefacts mirror those found in Vasa Locker’s. To spread and encrypt resources, Babuk Locker’s ransomware supports command line operations and includes three separate commands that are built-in.

​To evade system detection, the ransomware observes the services and processors that are in action. It then wipes out a predefined list in order to successfully dodge detection technologies.

​Traditional ransomware tactics have evolved. Organizations have to keep up. Some experts are most concerned about the use of new ransomware strains on pandemic response organizations. These organizations include hospitals, health clinics and vaccine distributors.

For more on military contractor attacks and Babuk Locker ransomware, visit The Record.