Babuk ransomware source code now publicly available
The availability of the code has spurred new attacks by people outside the Babuk group
Despite announcing their exit from ransomware in April, the Babuk gang has made a comeback with a new version it is using to attack corporate networks.
That's according to Bleeping Computer, which says that Babuk has moved its operation to a new leak site, listing victims who have apparently refused to pay. Babuk's new site claims it attacked the victims with a second version of the malware.
Babuk is a relatively new group, which surfaced at the end of the last year. It made a name for itself after attacking Washington DC's Metropolitan Police Department (MPD) in April 2021.
Following the attack, the group posted screenshots of the stolen files on its darkweb site and claimed that it was able to exfiltrate more than 250 gigabytes of data from compromised systems. The group later released several MPD officers' personal data online.
In February, multinational outsourcing firm Serco also fell victim to a ransomware attack that was suspected to have come from Babuk.
Shortly after the MPD attack, Babuk's operators announced they were quitting the encryption part of their business, to focus on demanding ransoms for stolen data.
'Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement,' the statement from cyber group said.
The new approach to ransom announcements, rather than data and encryption keys, ironically meant that the group no longer needed ransomware at all.
The gang said it would make the Babuk ransomware source code publicly available, so 'everyone can make their own product based on our product'. They discussed the idea of 'something like Open Source RaaS [ransomware-as-a-service]'.
It appears that Babuk's operators kept their promise. Security researcher Kevin Beaumont tweeted that he had found the Babuk ransomware builder (used to generate customised payloads and decryption modules) on malware-scanning service VirusTotal.
Beaumont said the builder on VirusTotal would create ransomware for Windows, VMware ESXi virtual machines, and network-attached storage based on ARM and x86 architectures.
Soon after the builder appeared on VirusTotal, a threat actor began using it to launch an active ransomware campaign.
A victim reported on Reddit they were attacked with a ransomware calling itself 'Babuk Locker'.
Pieter Arntz, a security researcher at Malwarebytes, said it was unclear why Babuk's ransomware builder was uploaded on VirusTotal. By doing so, the cyber actors were basically making the source code available to everyone (although this is, of course, what Babuk had promised to do).
It is also possible that a random person found the builder and uploaded it to check whether it was malicious; or that a rival gang uploaded it to destroy Babuk's operation and get them out of the way.
Malwarebytes researchers have discovered several defects in Babuk's encryption and decryption code.
"It will take a thorough analysis of the Babuk builder before we know whether it contains enough information to create software that can decrypt files encrypted by Babuk ransomware," Arntz said.
"That would be nice for the victims that did not pay the ransom," he added.