Houston Rockets Investigate Ransomware AttackBabuk Ransomware Gang Reportedly Posted Exfiltrated Team Data
The NBA's Houston Rockets reported on Wednesday that the organization was recently hit with a ransomware attack for which the Babuk cyber gang has taken responsibility.
In a now-removed post on its extortion website, the Babuk gang placed a note and files that purportedly had been removed from the Rockets' network. The gang claims to have removed 500GB of data, including third-party contracts and corporate, customer, employee and financial information.
"Publishing this information could lead to legal problems and cause concern for customers," the note from Babuk said.
Emsisoft threat analyst Brett Callow says that if Babuk is behind the attack, it could make recovering the data difficult, even if the team manages to obtain a decryptor key.
"Babuk incidents are particularly problematic, as the Linux decryptor the actor supplies is buggy and will actually trash data as it's decrypted, resulting in it being lost," Callow says.
Mark Rasch, of the law firm Kohrman Jackson & Krantz, which handles ransomware negotiations but is not involved in this case, warns against concluding that negotiations are in progress or that a ransom was paid based on the fact that the Babuk extortion note was posted and then removed.
"They could have put it up inadvertently, they could have taken it down inadvertently, or they could have done both of them deliberately," he says.
The Rockets organization says ransomware was installed on a few systems but has not otherwise affected team operations. It says the organization's IT staff managed to block the spread of the malware. The team did not say when the attack took place.
"The Rockets organization recently detected suspicious activity on certain systems in its internal network. We immediately launched an investigation to aggressively gather facts and began taking steps to block the unauthorized activity. Leading cybersecurity experts were also engaged to assist in the investigation," the team said in an emailed statement.
The team is working with the FBI and the NBA to investigate the incident.
The Rockets organization offered no details on the information possibly exposed in the attack and did not say whether it was negotiating with its attackers. Some of the files from the purported Babuk posting refer to NBA-related activities and arena operations, and one is labeled "Team Sale."
A few articles published over the past year stated that team owner Tilman Fertitta might be shopping the team, which he purchased in 2017 for $2.2 billion.
"These investigations are complex, dynamic and require time to conduct properly. Until our investigation is completed, it will be difficult to determine with certainty the scope of the incident, but we will continue to work vigilantly to address any potential issues that may affect our fans, employees and players," the team says.
The team says it will notify customers, players or employees if the investigation confirms personal information was exposed.
"Problems like this are not uncommon and highlight the need for organizations to back up encrypted files prior to running the actors' tool," Callow says.
According to Trend Micro, Bauk ransomware was first spotted in December 2020, at which time researchers labeled it Vasa Locker. It was given its current moniker in 2021. Babuk has already received one update from its creators, who added the ability to extract information for extortion purposes, Trend Micro says.
"Babuk Locker utilizes a ChaCha8 stream cipher for encryption and Elliptic-curve Diffie-Hellman for key generation, making the recovery of files without gaining access to the private key highly unlikely," Trends Micro wrote in a February report.
An analysis by McAfee notes that the Babuk attackers use several methods to gain entry to a system, including spear phishing, exploiting a public-facing application or using a weakly protected remote desktop protocol access to obtain legitimate credentials.
Emsisoft has noted several defects in Babuk's code concerning both encryption and decryption when an attack involves Linux and, more specifically, ESXi servers, leading to a total loss of data for the victim.
One bug will cause Babuk only to rename files on an ESXi server, but not encrypt them, Emsisoft says.
"This wouldn't be a huge issue if it wasn't for the fact that the decryptor provided by the Babuk threat actors has no precautions in place to detect whether a file with the *.babyk extension is actually encrypted or not. It will blindly "decrypt" these unencrypted files, trashing them in the process," Emsisoft writes.