A leaked Babuk Locker builder used to develop custom ransomware executables that recently leaked has been used by a threat actor to carry out a campaign targeting users in various countries.
Babuk Locker was a ransomware campaign that started in 2021. It targeted corporate victims and stole their data in double-extortion attacks. The gang shut down fearing much attention it drew from law enforcement and media after its attack on the Washinton DC’s Metropolitan Police Department (MPD) in April. The gang rebranded under the name PayLoad Bin and switched to a non-encrypting extortion model.
Last week, Kevin Beaumont, a security researcher, discovered that the Babuk ransomware builder was uploaded to VirusTotal. It can target Windows, VMware ESXi, Network Attached Storage (NAS) x86, and NAS ARM devices. All one needs to do is modify the ransom note to include your own contact information. Then run the build executable to create custom ransomware encryptors and decryptions for various targets.
Now the reports came out that a threat actor used a leaked builder to launch a ransomware campaign. Reportedly, on Tuesday, a Reddit user said that they were hit by a ransomware attack called “Babuk Locker.”
According to MalwareHunterTeam, the number of victims submitting reports about Babuk Locker on ID Ransomware has increased significantly since June 29. All the ransom notes had the email address of the same attacker.
This ransomware attack adds an encrypted .babyk extension to your files. It drops a ransom note that tells how to restore your files. Compared to the original Babuk ransomware campaign where ransoms could go up to hundreds of thousands, if not millions, of dollars, this new threat only demands .006 bitcoins, or about $210, from its victims. The new attacks are also using firstname.lastname@example.org email address to communicate with their victims, whereas the original Babuk Locker gang used a dedicated Tor payment site.
At this point, it is unclear how the new Babuk Locker ransomware is distributed.