Although they are declaring their retirement from the firm, the Babuk ransomware operators seem to have reverted into old habits with a new attack on corporate networks.
Following the announcement by the ransomware operators - Babuk, that their affiliate program has been closed and that they are moving to data theft extortion, the groups seem to have resorted to their old corporate systems encryption methods.
The hackers are currently using a fresh version of their file-encrypting malware and have relocated the operations to a new leak website that identifies a handful of victims.
At the beginning of the year, the Babuk ransomware group came into recognization, although the gang claimed that their attack began mid-October 2020, aiming businesses worldwide to demand ransoms somewhere between $60,000 and $85,000 in crypt-monetary Bitcoin. There were certain instances wherein victims were required to pay hundreds of thousands to decrypt their data.
The Washington DC Metropolitan Police Department is one of their most prominent victims (MPD). This attack probably led the threat actor to announce their withdrawal from the Ransomware organization only to embrace another extortion model that did not contain encryption.
The group also declared plans to share its malware to let other cybercriminals begin a ransomware-as-a-service operation. The threat actors kept their promise and published their builder, a tool that creates customized ransomware.
Kevin Beaumont, a security researcher, discovered it on VirusTotal and communicated the information for detection and decryption in the infosec community. The gang took the name PayLoad Bin after its shutdown in April, although its leak site displays minimal activity.
Meanwhile, on the dark web, a new leak site with Babuk Ransomware tags surfaced. This site includes less than five victims who refused to pay for the ransom and were targeted with a second virus variant. Babuk does not seem to have abandoned the encryption-based extortion game. They just published the older virus version and built a new one to re-enter the ransomware company.
Pieter Arntz, a security researcher at Malwarebytes, said “Another fact that may be of consequence, somehow, is that researchers found several defects in Babuk’s encryption and decryption code. These flaws show up when an attack involves ESXi servers and they are severe enough to result in a total loss of data for the victim,”
