The source code for the Babuk ransomware was leaked on a Russian-speaking hacking forum by an alleged member of the group. The code contains all the necessary steps to build a functional ransomware executable.
The Babuk ransomware was launched in 2021. The gang has shut down its operation after attacking the Washinton DC’s Metropolitan Police Department (MPD) earlier this year. However, a number of its members relaunched the group as Babuk V2.
The leaked file contains various Visual Studio projects related to the development of Windows encryptor, decryptor, and a private and public key generator.
In its encryption routine, Babuk ransomware uses elliptic-curve cryptography (ECC). According to security researcher Fabian Wosar, who has analyzed the leaked documents, the files contain encryption keys for the victims of the Babuk ransomware gang. Wosar said that these folders contain curve files that look like the ECC decryption keys for these victims, but this is yet to be confirmed.
The Babuk gang had a history of betrayal and backstabbing. Following the attack on the MPD, the group broke up. The ‘Admin’ reportedly wanted to leak the MPD’s data for publicity, but the other members were against it.
“We’re not good guys, but even for us it was too much,” said Babuk’s threat actor.
After the data leak, the group broke up with the Admin and launched the Babuk V2. The former then launched the Ramp cybercrime forum.
Later, the Ramp forum suffered a series of DDoS attacks. The Admin claimed his former partners were behind these attacks, while the Babuk V2 team said they were not responsible for it:
“We completely forgot about the old Admin. We are not interested in his forum,” the threat actors told BleepingComputer.
Wosar later has been receiving intel from threat actors who felt “wronged” by their partners, which helped him to prevent some ransomware attacks.
After the recent source code leak, the fate of the Babuk V2 ransomware gang seems very uncertain. This is a developing story.