Threat Essentials Blog

New ransomware business model? Babuk builder release

On 23 June this year, Threat Essentials observed a post on a dark web forum by an account previously used by the Babuk ransomware group. The post linked to an alleged tool that allows users to build versions of the Babuk ransomware, potentially leading to widespread use of Babuk variants by threat actors. Innovations and improvements can be made to the original ransomware, further increasing the threat.

Post on hacking forum linked to Babuk

Image: Post on hacking forum linking to Babuk builder

The post's author had removed the download link by 28 June. However, we have since discovered a Github user who possesses repositories for several ransomware artefacts, including the Babuk builder and source code for the Paradise ransomware, and who posted some weeks earlier on a separate dark web forum. This increases the reach of this tool to threat actors who do not operate on the dark web and those who do but who were unable to acquire the tool in the 5-day window it was originally available.

Timeline Babuk builder leak

Image: Timeline of Babuk builder leak

New tool in cyberattacks: Babuk ransomware builder

We have observed one case where a user on Reddit reported their files had been encrypted; file names prepended with a .babyk extension and a ransom demanding 0.006 Bitcoin (roughly $200 at the time of writing). This does not reflect the Modus Operandi of Babuk, who are known to target larger entities [1] but instead reflects an opportunistic cyber criminal. It demonstrates how quickly threat actors can begin to use new tools such as this in their own criminal operations.

Attacked by babyk bv02

Image: Reddit user reports Babuk ransomware infection

Who is Babuk?

Babuk is a ransomware group that gained prevalence in 2021 after their alleged high-profile compromise of the Washington Police Department [1], which led to highly sensitive data being uploaded to their dark web leak blog. Since then, the group has been keeping a low profile, rebranding to "payload.bin" but not utilising their blog.

How is Babuk group operating? Analysis and insights

There are several reasons why the Babuk group may have released a tool like this. One explanation is that by offering their ransomware to other threat actors, they are able to mask their operations, hide in amongst the noise and make it harder to distinguish them from other threat actors using this ransomware. Alternatively, this could be the next step in Babuk beginning of a new ransomware as a service (RaaS) model.

References: DC police confirms cyberattack after ransomware gang leaks data