The Babuk ransomware gang has returned to its old tricks of encrypting corporate networks. They seem to not have followed through on their announcement to move away from the ransomware business in favor of data theft extortion.
The cybercriminals are now using a new version of their malware and have moved their operation to a new leak site. The site already boasts a few new victims.
The group, which was first known as Babuk, launched a series of attacks in October 2020. They demanded ransoms of up to $85,000 in Bitcoin. They were the criminals behind the much-covered attack on the Metropolitan Police Department in Washington DC after which they were forced to move to a new extortion model that didn’t rely on encryption. The group also announced plans to release their malware that will allow other criminals to develop their own ransomware-as-a-service operation. Later, security researcher Kevin Beaumont found the malware on VirusTotal and shared it with the rest of the Infosec community.
After shutting down in April, Babuk gang rebranded as the PayLoad Bin. Since then, its leak site showed little activity. The site lists only a few victims that have refused to pay the ransom.
But it appears Babuk has not given up on its encryption-based extortion operations. While they released their old version of the malware, they also created a new one to get back into the ransomware business.
The gang also made it clear in a comment to BeepingComputer’s recent post that they did not use the leaked Babuk builder and that they did not want to be associated with it.
The Babuk gang has not stopped raiding corporate networks with file encryption.
It may be that the new business model with the PayLoad Bin did not work out well and the gang moved to its old practices.
It’s still unknown if this is the same Babuk gang that was connected to the attack on the DC police department or if it is a new collective of hackers that split up from the main gang.