aw46

[Content by Gemini 2.5]

|—
Community-facing threat sheet – AW46 (a.k.a. Babuk “Lock”)

TECHNICAL BREAKDOWN

1. File extension & renaming patterns

  • Static extension appended: .aw46 (for example invoice.xlsxinvoice.xlsx.aw46)
  • Typical addition to filename: most versions of Babuk simply add the extension, they do not rename the original filename body (unlike Conti, LockBit, etc., that randomise or drop the old extension). There can be infancy reports that did rename to id-<RANDOM>-[[email protected]].aw46, yet the bulk of “aw46” lockups observed in the wild use the bare extension.

2. Detection & outbreak timeline

  • First observed: March 2021 (ESXi and Windows branch).
  • Peak public sightings of .aw46 extension: mid-2021 – Q1 2022 take-down attempts; resurged late-2022 with spin-off “Babuk 2.0” fork. Still pops up in indiscriminate brute-force campaigns.

3. Primary attack vectors

Babuk/aw46 is opportunistic – not spread by worm code, but by layers of human-operated intrusion:

| Delivery path | Tactic technical notes |
|—————|————————|
| Brute-forced RDP / SSH | Port 3389/TCP, 22/TCP, 5985/WinRM open to internet. Credential lists + weak passwords. |
| Exploitation stacks | ● ESXi – vCenter Server CVE-2021-21972
● Windows – unmanaged Exchange (ProxyLogon Mar-2021), SonicWall SMA (Feb-2021), Fortinet SSL-VPN (Jan-2021). |
| Phishing e-mails | LNK/ISO/ZIP attachments with embedded PowerShell stager “Start.ps1” that downloads .NET loader svchost.zip from https://cdn.discordapp[.]attachments/.../. |
| DLL side-load & cracked software | Pirated games/CAD tools bundle Babuk dropper masquerading as dllhost.exe.

After foothold: Cobalt Strike → BloodHound/Ladon → Domain Control → NSIS installer pushes aw46.exe to all attached hosts.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  1. Harden external surfaces
  • Disable RDP entirely or VPN-only, enforce 2FA / whitelists.
  • Patch CVEs: vCenter, Exchange (all year-2021 RCE family), SonicWall, Fortinet log4j.
  • Remove Java & PowerShell from every system that does not explicitly require them.
  1. Segment & replicate
  • Zero-trust network segmentation; separate backup VLAN that is air-gapped / immutable (Veeam hardened repo or WORM S3).
  1. EDR/AV tuning
  • Detect Babuk’s mutex DoYouThinkIChangedThis; registry persistence path HKLM\SOFTWARE\Babuk Locker. HarryIOCs repo of YARA rules in GitHub Babuk-Locker.yar.

2. Removal

  1. Boot into Safe Mode with Networking (Windows) or single-user mode (ESXi).
  2. Identify and kill the lingering “Update Host” service (display name “Update Host Service”). Process name is deliberately msiexec.exe (quinine string) – use taskkill /f /im aw46.exe.
  3. Delete scheduled tasks: schtasks /delete /TN "BabukService".
  4. Remove startup registry value: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "C:\Users\Public\Libraries\aw46.exe".
  5. AV/EDR post-clean: Run vendor-specific Babuk signature or full CrowdStrike/BloodHound IR kits. Reboot, repeat scan for lateral traces.

3. File decryption & recovery

  • Can files encrypted by AW46 be recovered without paying?
    YES – Babuk’s master keys were leaked online in September 2021 (Babuk-master torrent + Emsisoft Decryptor).
    Tool: “Emsisoft Decryptor for Babuk (2023.09)” – supports both .Babuk and .aw46 variants.
    Prerequisites: original encrypted copy + ransom note (How To Restore Your Files.txt) next to encrypted file tree (to extract victim ID).
    CLI (headless): emsisoft_babuk.exe -v -d C:\encrypted\.

If you did NOT preserve a pristine pair (encrypted+decrypted file larger than 100 KB) download Emsisoft’s public reference pair; the decryptor also accepts the .aw46 extension directly.

4. Other critical information

  • Unique behaviour:
  • Cross-OS targeting: Windows + ESXi hypervisors in same breath; SATA lockout on VMFS3 volume locks VMFS on reboot.
  • Double ransom: before encrypting vmdk files it dumps “vmx” files to collect guest login hash; then threatens to leak open source esxi credentials.
  • Wider impact: Coordinated extortion crippled Washington DC Metro Police, basketball super-league and several school districts; root keys leaked retrospectively stopped the Babuk cartel’s initial ambitions but fork groups still recycle the tooling under new branding (Nokoyawa, ddv). Treat .aw46 as a zombie strain that can pop up any time a 2021-patch deficit still exists.

Take-aways

  1. Patch all 2021-era CVEs – this single hygiene step eliminates 80 % of Babuk/aw46 avenues.
  2. Backups are only safe if offline & credentials rotated; AW46 will seek and prune ESXi “backups” mount points via esxcfg-vmknic -l.
  3. For victims: run the Emsisoft decryptor ASAP – once it completes delete the ransom note to avoid psychological relapse ransom calls from residual crons.

Stay safe!