In early 2021, the Babuk ransomware operation emerged, targeting businesses through double-extortion attacks. Multiple large enterprises were attacked, with one victim having to pay $85,000 after negotiations. However, the group faced a setback when their ransomware source code and various encryptors and decryptors were leaked on a Russian-speaking hacking forum in September 2021. Their activities drew attention after an attack on Washington DC’s Metropolitan Police Department (MPD) and subsequent scrutiny from U.S. law enforcement. In response, the Babuk members took different paths, with the administrator creating the Ramp cybercrime forum while other core members relaunched the ransomware as Babuk V2.
Recently, there has been an alarming rise in new ransomware families targeting VMware ESXi servers. Cybersecurity researchers have identified nine new Babuk-based ransomware variants between the latter half of 2022 and the first half of 2023. These variants are based on the leaked source code of the Babuk ransomware. Notable variants include RTM Locker, Rook, Rorschach (also known as BabLock), Mario, Play, Cylance, Dataf Locker, Lock4, and XVGV. While some connections suggest potential collaboration or shared code between Babuk, Conti, and REvil, other variants show minimal similarity to Babuk. These ransomware attacks target enterprises by carefully compromising their networks, with transportation, healthcare, plastic, electronics, and agricultural sectors being primary targets across various regions. This adoption of Babuk’s code indicates a growing trend of threat actors using it to develop ESXi and Linux lockers, with the possibility of future adoption of Babuk’s NAS locker. It also allows actors with limited resources to develop Linux ransomware without significant modifications. However, the use of shared tools complicates attribution efforts.
In April 2023, a new ransomware operation called RA Group was discovered using the Babuk malware. Known for their malicious activities, the RA Group leverages Babuk’s capabilities to carry out targeted attacks against various organizations in the U.S. and South Korea. Babuk ransomware, with its advanced encryption techniques, allows the RA Group to compromise networks and encrypt sensitive data, demanding ransom payments for its release. The RA Group’s utilization of Babuk highlights ransomware operations’ growing sophistication and adaptability, posing significant challenges to cybersecurity professionals and organizations worldwide.
The entry vectors for Babuk attacks include email spear-phishing, exploitation of public-facing applications, and the use of valid accounts, with a focus on weakly protected Remote Desktop Protocol (RDP) access. To mitigate the risk of Babuk ransomware, it is recommended to update endpoint protection, enable tamper protection and rollback features, and implement robust credential management and multi-factor authentication.