Babuk ransomware gang decides to stop encrypting victims’ files and instead only steal data and extort victims.
Operators of Babuk ransomware announced over the weekend on their leak site that the gang would close its affiliate program and move to an extortion model that does not rely on encrypting victim computers.
Just the day before this announcement, the gang posted and immediately deleted two announcements about their closing operations and releasing their malware’s source code.
What these messages suggest is that Babuk ransomware gang decided to move from the standard ransomware-as-a-business (RaaS) model which involves stealing data and then deploying the encryption stage to later engage in negotiations about a ransom. The newly announced model will not have the data encryption step. The cybercriminals will still demand a ransom for information stolen from compromised networks.
“Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement,” Babuk ransomware operators said.
Such exfiltration of data is done in a bid for higher ransom payments. Maze ransomware gang was the first to start this practice in November 2019. It was later copied by all major ransomware operations. Those include notorious Clop ransomware attacks which at the beginning of 2021 exploiting zero-day vulnerabilities in Accellion’s File Transfer software. The gang didn’t encrypt the files, only stole them, and demanded large payments for not leaking the data. Many victims paid ransoms of tens of millions of dollars.
The reasons for Babuk adopting the new extortion model remain unknown at the moment. To be successful, the gang would now need to exfiltrate larger quantities of data.
In the recent announcement, Babuk calls itself a new team on the ransomware scene but already a well-known one in the business because they have “the best pentesters of dark net.” On their leak site, Babuk claims to have copied 10 terabytes of a victim’s data. And in their most recent attack, the gang claims to have stolen 250 GB of data from the DC police department.