Babuk ransomware is back: targeting companies and demanding up to $85k

Criminals continue their activity in encrypting corporate networks after announcing their exit from the ransomware business

Babuk ransomware is back in ransomware businessBabuk is back in business with the new version

Threat actors of the well-known, notorious Russian cybercrime group responsible for spreading the Babuk crypto-extortion virus, took themselves out of the crime games due to data theft extortion earlier this year. However, it seems that the group is back in business and is ready to cause chaos once again. It is believed that criminals are currently using a new version of their file-encrypting malware and have moved the operation to a new leak site that lists a handful of victims[1].

The Babuk ransomware group became the center of attention earlier in 2021 but it is believed that high-level attacks had started way earlier, probably back at the end of 2020. Criminals chose to target huge global companies and demand ransoms as huge as of $60,000-$85,000 in bitcoin cryptocurrency.

Among the most affected enterprises was the company, which paid at least $85,000 after negotiations. Attacks also hit Washington DC's Metropolitan Police Department (MPD) and planned to target transportation, healthcare, plastic, electronics, and agricultural sectors across the globe[2].

Babuk virus wreaked havoc within police department attack

Babuk became known worldwide basically overnight in April 2021 when a group infiltrated Washington DC's Metropolitan Police Department's (MPD) networks and threatened to make public confidential information, including names of suspected gang member informants and intelligence from crime briefings[3].

Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement.

Even though such activities put a lot of different sectors in danger, cybersecurity experts don't label Babuk attacks as anything else than amateurish. Few types of research described coding as distinctly poor as it does not contain any local language checks and hackers seem to set on exploiting a variety of popular entry vectors into their target environments.

These can include email phishing where the initial email is linked to a different malware strain. However, things are developing rapidly and some aspects seem to be improving, as a new packed version has been found, exploiting publicly disclosed but unpatched common vulnerabilities and exposures in remote access software, web servers, network edge hardware, and firewalls[4].

Experts question why the builder is made public

As Babuk is back in action, more news circulates around the infamous group. Apparently, The Babuk's ransomware source code has been uploaded to VirusTotal, making it available to all security vendors and competitors. Why it happened and why now? That's unclear to researchers and cybersecurity specialists.

It seems like the hacking group shared their stance on the matter with their underground forum users. It looks like Babuk is changing direction and is no longer encrypting information on networks. It is stated that the group will continue to take data but will notify about it[5].

Later on, the group shared that the Babuk project will be closed, its source code will be made publicly available and anyone will be able to make their own product based on the original code. What does that mean to cybersecurity around the world and whether we should prepare for another massive attack, remains a mystery.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions