Personal Research NWGen Babuk ETCH - Awesomehood/Capstone GitHub Wiki
Case Study - East Tennesee Children's Hospital Ransomware Attack
Group Analysis - NWGen Ransomware group
The NWGEN ransomware group is not an easy group to gather information on. They are known to be connected to LAPSUS$ as the contact for telegram in their ransom notes was outed for going rouge. redeyeg0d is the same handle as the one in the ransomware note.
Another example of LAPSUS$ members (most likely former members now) being a part of the NWgen group is the connection between two posts which are made by the same user. This first one is from a user called 4c3, who claims to be speaking for LAPSUS.
And then we have this post which is made by the very same 4c3.
We learn here that the W stands for Worst and Gen is short for Generation. This leads me to believe that the N stands for new. Another assumption I can make is that these users are most likely from generation z. This is just speculation. Please note the profile picture is related to the NWGen logo, as both are related to the Manga/Anime "One Piece", and the two ids are the same confirming this is the same user in both posts. The forum that was going to be used was actually shut down by the FBI on the 12th of April.
No one wants to buy their data as they are mainly targeting children's hospitals.
Ransomware family - Babuk
Babuk ransomware is a new threat that first appeared in January 2021. The team is gaining more visibility by advertising on underground forums. The encryption function does not differ much from other ransomware. An important point to note is the fact that no language blacklist is embedded in the malware. The codebase itself and artefacts dropped, like the ransom notes, are highly similar to what was previously observed in Vasa Locker activities. There is a clear connection between the two variants, and probably between the teams, if indeed they are not one and the same.
(Source)
They have defense evasion with ChaCha as well as the key and nonce generate randomly.
Demo of Babuk ransomware??
This did not go according to plan, either it got detected or I could not run it. Requires further study to figure out. It is surpisingly hard to attack yourself when you get your malware from a trusted source.