Editor’s note: We will continue to provide updates as further information is forthcoming.
On January 27th, 2025, GuidePoint’s Research and Intelligence Team (GRIT) observed a new Data Leak Site (DLS) and victim posts by an actor or group calling themselves “Babuk 2” in the course of our routine monitoring of ransomware victim claims. The site, which mirrors the previously active DLS of Babuk, quickly listed over 64 alleged victims. Of the listed victims, at least 90% were found to have been claimed by other ransomware groups in the past, and GRIT assesses that the operator behind Babuk 2 is almost certainly attempting to attract attention and credibility by assuming the Babuk name and fabricating or exaggerating their attack history.
Claimed Victims
Early review of the victims posted by “Babuk 2” revealed that at least 90% of the posted victims are known to have been claimed by other ransomware groups. This includes 26 of the posted victims mirroring recent claims by FunkSec, at least 26 of the posted victims mirroring historical claims by RansomHub, at least five of the posted victims mirroring historical claims by LockBit, and at least one mirrored historical claim by Meow. Throughout the “copied” victim notifications, GRIT observed at least 57 cases where the victim organization description and details provided on the Babuk 2’s data leak site were an exact match for the original claim by a different threat group.
History
Babuk (also sometimes spelled Babyk) was an early double-extortion Ransomware-as-a-Service (RaaS) group which operated in in early 2021, and we have observed no operational activity from the group since 2022. Babuk’s ransomware builder, which supported encryptors for Windows as well as ESXi, was publicly leaked on a Russian-language hacking forum in June 2021, and portions of the code have since been incorporated into ESXi versions of other ransomware (Conti, REvil, Play, and others) or adopted wholly by other, newer ransomware groups. In the cases where wholesale adoption has taken place, the use of the leaked Babuk builder likely served as a convenient way to overcome the technical barriers of developing a new locker. In this particular case, the adoption of the “Babuk 2” moniker may serve as a means of gaining credibility and attention by the threat actor.
Assessment
While there are multiple possible explanations for this behavior, the two most likely are:
- The “Babuk 2” site represents the work of a ransomware affiliate which is claiming their victims across multiple core groups, whether originally affiliated with Babuk or not.
- The “Babuk 2” site represents a cybercriminal attempting to drastically inflate their capabilities and attack history through recycled posting of former ransomware victims, likely with the intent of attracting attention and credibility.
GRIT assesses that the second option is almost certainly the case based on reused attacks from a suspected separate fabricator and the absence of reporting or telemetry indicative of a resurgent and distinct Babuk. For example, the DLS operator posted a copy of a “ransom note” on January 28th, 2025, nearly identical to the format and type used by multiple ransomware groups. Searches for matching strings representative of the Babuk 2-specific letter on VirusTotal yielded a single result, uploaded from Croatia on January 10th, 2025.
Impact
For organizations listed on the Babuk 2 DLS or contacted by alleged affiliates, we highly recommend verifying any alleged intrusion and ruling out possible recycling of past leaked data. Over the past year, GRIT has observed an increase in cases of data extortion by unsophisticated threat actors repurposing formerly breached data to coerce payment in cases where no additional intrusion by the threat actor has taken place. Verification can be completed through DFIR investigation as well as review of the Deep and Dark Web by threat intelligence practitioners.
*** This is a Security Bloggers Network syndicated blog from The Guiding Point | GuidePoint Security authored by Ryan Silver. Read the original post at: https://www.guidepointsecurity.com/blog/ongoing-report-babuk2-babuk-bjorka/