While the Babuk gang ended its ransomware activity at the end of April, its malware has just resurfaced two months later. At issue: a leak of the ransomware creation kit.
“Chaotic” would be the right adjective to describe the journey of Babuk Locker, a true shooting star of the cybercriminal world. Spotted in January 2021 by the Bleeping Computer, the ransomware gang quickly stood out with abundant communication and the publication of an alleged ethical charter. Proof of his abundant verbiage, in 4 months of existence, he made two name changes, from Babuk to Babyk then Baruk.
In that short span of time, the group has managed a few cyberattacks, for example against the Houston Rockets’ NBA franchise and against the Spanish smartphone sales chain Phone House. Then, at the end of April, Babuk struck a big blow, or rather, too big a blow: his ransomware infected the Washington DC Metropolitan Police Department. Known by the acronym MPD, this division is one of the largest police units in the United States, and it has within its perimeter the White House, the seat of presidential power.
Babuk, a hasty retirement
The MPD refused to immediately pay the ransom to reverse the encryption, which triggered the second part of Babuk’s extortion scheme: data leak blackmail. On its blog, the gang bragged about having extracted 250 gigabytes of data belonging to the police: investigation reports, disciplinary commission statements, portraits of defendants, and above all, documents on local criminals. Babuk thus threatened the MPD to reveal the identity of the police sources to local gangs. In other words, he threatened to put lives at risk in the face of retaliation.
While ransomware operators have various pernicious methods, they never so directly balance the lives of individuals. For good reason: such a crime would push them into another field of law alongside terrorism, and would trigger much more repressive measures from the authorities.
Precisely, shortly after the publication of the threats and the opening of an FBI investigation, Babuk suddenly retired. The operators first announced that they were stopping all activity, then resumed, indicating that they would continue a data blackmail activity, but without the encryption part. In other words, they will ask victims to pay to recover their data, and if refused, they will post it on their site. Babuk abandoned, PayLoadBin was created.
Babuk ransomware is back … but without its operators
But the story does not end there: following this conversion, the kit to create its ransomware was leaked, and became available for free two months later, around June 26. We are talking about a turnkey tool, usable by low level cybercriminals. You only need to enter a few commands to put your own information on the ransom note and to create an encryption key for each new target. No need to worry about how the ransomware works, the tool takes care of everything.
As The Record Media points out, it is difficult to identify the origin of the leak. Did the gang publish it on purpose? Did he get it hacked? Did the kit leak as a result of a failed sale? Anyway, the days were numbered before thugs seized it. According to the Bleeping Computer, these fears came true just three days later. On the day of June 30 alone, more than 70 people notified that they were affected by Babuk ransomware … operated by another person, who gives no other information than his email address.
Babuk, taken over by low-level cybercriminals
Where the Babuk gang lashed out at companies with ransom demands in the hundreds of thousands of dollars (or even millions), the kit operator is only asking for barely $ 200, to be paid in bitcoin. This behavior suggests that this would be an opportunistic attempt rather than the emergence of a new organization.
This could be a problem: Poorly controlled ransomware is particularly destructive. If operators do not master the encryption of their tool, they could find themselves in a situation where, after payment, they are unable to reverse the damage caused. A few questions remain and will determine the future consequences of the leak: is this Babuk buyer the first in a long list? Babuk to become ransomware targeting the general public?