Table of Contents
Babuk ransomware burst onto the cybercrime scene in early 2021, quickly gaining notoriety for its targeted attacks against large enterprises and its unique, albeit sometimes flawed, encryption methods. Operating under a Ransomware-as-a-Service (RaaS) model initially, the group employed double extortion tactics, encrypting victim data and threatening to leak stolen sensitive information if the ransom was not paid. While its initial operational run under the "Babuk" banner was relatively short-lived, its legacy persists due to a significant internal dispute that led to the leak of its complete source code, builder, and internal operational details. This leak effectively lowered the barrier to entry for other cybercriminals, spawning numerous variants and copycat operations, ensuring that the Babuk threat, in various forms (sometimes referred to as Babuk V2 or simply derivatives), continues to plague organizations worldwide.
Understanding the origins, evolution, tactics, and defense strategies against Babuk and its derivatives is crucial for security professionals aiming to protect their organizations from this persistent and adaptable ransomware family. Learn about cybersecurity solutions for your organization.
Introduction
The Babuk ransomware operation, also identified by aliases such as Babuk Locker and Vasa Locker, emerged as a significant cyber threat at the beginning of 2021. It distinguished itself through targeted attacks, primarily focusing on large corporate networks for high ransom demands – a strategy often referred to as "Big Game Hunting." The group utilized double extortion, maintaining a dedicated leak site named "Payload Bin" to publish stolen data from victims who refused to pay. Despite its initial success and sophisticated approach for a new entrant, the group's internal structure proved unstable. Following a high-profile attack on the Washington D.C. Metropolitan Police Department (MPD) in April 2021, internal disagreements seemingly led to a fracture within the group and the subsequent leak of its source code in September 2021. This event marked a pivotal moment, democratizing the Babuk malware and leading to its proliferation and adaptation by numerous other threat actors.
Threat actor card for Babuk/Babuk2
| Feature | Description |
|---|---|
| Aliases | Babuk Locker, Babyk, Vasa Locker, Babuk V2 |
| First Seen | Early 2021 |
| Origin | Suspected Russian-speaking, though definitive attribution remains challenging. |
| Type | Ransomware (initially RaaS, later source code leaked) |
| Key Tactics | Double Extortion, Big Game Hunting (initially), RDP Exploitation, Vulnerability Exploitation (ProxyShell) |
| Malware Features | ChaCha8/SOSEMANUK + Curve25519 encryption, Multithreading, Network Share Encryption, ESXi Encryptor |
| Significant Event | Source code leak (September 2021), MPD Attack (April 2021) |
| Status | Original group likely fractured/rebranded; Source code widely used by other actors. |
The post-leak era saw the continuation of Babuk-related activity, sometimes dubbed "Babuk V2" or attributed to splinter elements of the original group, often focusing on small-to-medium-sized businesses (SMBs) rather than just large enterprises. More importantly, the leaked code became a foundation for new ransomware families, ensuring Babuk's TTPs and encryption mechanisms remain relevant threats. Learn more about Indicator of Compromise.
Origins & Evolution
Babuk was first observed in the wild around January 2021. Security researchers quickly noted its relatively sophisticated implementation compared to other emerging ransomware strains, particularly its use of ChaCha8 (later versions used SOSEMANUK) stream cipher for file encryption combined with Curve25519 for key generation and protection. The group operated a RaaS affiliate program, recruiting partners to deploy the ransomware in exchange for a share of the profits. You can read about symmetric encryption to understand the encryption mechanism.
While direct state sponsorship is not typically associated with Babuk, linguistic analysis of internal communications and ransom notes, coupled with forum activities, led many researchers to suspect origins within Russian-speaking cybercrime communities. However, definitive proof linking the group to a specific nation-state or established APT group remains elusive.
The group's trajectory dramatically shifted after its attack on the Washington D.C. MPD in April 2021. After exfiltrating sensitive data and threatening its release, the group faced immense pressure and public scrutiny. Shortly after, the operators announced they were retiring from encrypting networks of large corporations and governmental entities, intending to focus solely on data theft and extortion, possibly rebranding or shifting their operational model. They also claimed they would release their ransomware builder publicly, though this did not immediately happen in the way they described.
The true turning point came in September 2021 when an individual claiming to be a disgruntled developer within the Babuk team leaked the complete source code for the Windows and ESXi versions of the ransomware, along with the builder and decryption tools, on a Russian-speaking cybercrime forum. This leak included details about past victims and operational chats. The developer cited dissatisfaction with the group's leadership and handling of profits as the motive.
This unprecedented leak fundamentally changed the landscape. While the original core group might have fractured or attempted to rebrand (potentially as "Babuk V2" or contributing to other projects), the readily available source code allowed numerous less-skilled actors to launch their own ransomware campaigns based on Babuk's foundation. This led to a surge in attacks using modified Babuk variants, often targeting a broader range of victims, including SMBs, and sometimes exhibiting less sophisticated operational security than the original group. Ransomware families like Nokoyawa and potentially others have since emerged, demonstrably borrowing heavily from the leaked Babuk codebase. Check out what is new in Kali Linux for information about penetration testing distributions.
Tactics & Techniques
Babuk operators and actors using its leaked code employ a multi-stage attack methodology common among modern ransomware groups, focusing on infiltration, privilege escalation, lateral movement, data exfiltration, and finally, encryption.
Initial Access: Babuk commonly gains entry through exposed Remote Desktop Protocol (RDP) connections secured with weak credentials, spear-phishing emails containing malicious attachments or links, and exploiting unpatched vulnerabilities in public-facing applications. Notably, actors using Babuk variants were observed exploiting vulnerabilities like the Microsoft Exchange Server ProxyShell flaws (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
Execution & Persistence: Once inside, attackers use tools like PowerShell and Cobalt Strike beacons for command execution and maintaining persistence. They often create scheduled tasks or modify registry run keys to ensure the malware executes automatically or survives reboots. The ransomware executable itself is typically deployed manually by the attacker after sufficient reconnaissance and privilege escalation. You can learn more about Windows registry structure here.
Privilege Escalation: Gaining administrative privileges is crucial. Techniques include exploiting local vulnerabilities (e.g., using tools like Mimikatz to dump credentials) or leveraging misconfigured Active Directory permissions.
Defense Evasion: Babuk actively attempts to disable security software and monitoring tools. It terminates processes and services associated with antivirus, EDR solutions, backup agents, and database servers to prevent interference with the encryption process. A key tactic is deleting Volume Shadow Copies using
vssadmin.exe delete shadows /all /quietto prevent easy file recovery.Discovery: Attackers perform extensive network reconnaissance using tools like Advanced IP Scanner or native Windows commands (
net view,nltest) to map the network, identify domain controllers, file servers, backup servers, and virtual infrastructure (like VMware ESXi hosts, targeted by a specific Babuk variant).Lateral Movement: Once administrative credentials are obtained, attackers move laterally across the network to deploy the ransomware widely. Common tools for this include PsExec, Windows Management Instrumentation (WMI), and exploiting SMB protocols.
Exfiltration: Before deploying the ransomware, Babuk operators engage in data theft (double extortion). Sensitive files are identified, compressed, and exfiltrated to attacker-controlled infrastructure, often using legitimate cloud storage services (like MEGA, Dropbox) or tools like Rclone to blend in with normal traffic and bypass data loss prevention (DLP) systems.
Impact (Encryption): The final stage involves running the ransomware executable across compromised systems. Babuk's encryptor is known for its multithreaded approach for faster encryption. It targets local drives and accessible network shares. Different versions used ChaCha8 or SOSEMANUK for symmetric encryption, with public-key cryptography (Curve25519) protecting the symmetric keys. Encrypted files are typically appended with a
.babukor.babykextension (though variants may use others), and a ransom note (often namedHelp Restore Your Files.txtor similar) is dropped in directories containing encrypted files, instructing the victim on how to contact the attackers and pay the ransom, usually via a TOR-based chat portal. Specific versions were developed to target VMware ESXi hypervisors, crippling virtualized environments.
Targets or Victimology
Initially, the Babuk group focused on Big Game Hunting, targeting large enterprises with annual revenues potentially exceeding millions of dollars, believing they had the capacity and incentive to pay multi-million dollar ransoms. After the MPD incident and the subsequent source code leak, attacks utilizing Babuk code became less discriminate. While large organizations are still targeted, numerous campaigns using Babuk variants have impacted small-to-medium-sized businesses (SMBs) across various sectors.
Target Industries: Babuk and its derivatives have shown little industry preference, hitting a wide range of sectors globally. Notable targeted industries include:
Manufacturing
Healthcare
Technology & IT Services
Transportation & Logistics
Legal Services
Finance
Construction
Retail
Critical Infrastructure (including energy and utilities)
Government (as seen with the MPD attack)
Geographic Focus: While attacks have been observed worldwide, there has been a significant concentration of victims in North America (USA, Canada) and Europe. However, the global availability of the source code means attacks can originate from anywhere and target organizations in any region.
Motivations: The primary motivation behind Babuk operations is financial gain through ransom payments. The double extortion tactic increases pressure on victims by adding the threat of data leakage, reputational damage, and potential regulatory fines. While the original group made some political statements around the MPD attack, the overarching goal remained monetary.
Potential Impact: A successful Babuk attack can have severe consequences:
Operational Disruption: Encryption of critical systems can halt business operations for days or weeks.
Data Loss: Even if backups exist, recent data might be lost. If backups are compromised or unavailable, data loss can be permanent.
Data Breach: Exfiltration of sensitive corporate, employee, or customer data can lead to regulatory penalties (e.g., under GDPR, CCPA), lawsuits, and loss of customer trust.
Financial Costs: Include ransom payments (if made), recovery efforts, incident response services, legal fees, and potential revenue loss.
Reputational Damage: Public disclosure of a breach can severely damage an organization's reputation.
Attack Campaigns
Several high-profile attacks and trends have been associated with Babuk:
Washington D.C. Metropolitan Police Department (April 2021): This was arguably Babuk's most infamous attack. The group claimed to have stolen over 250GB of sensitive data, including internal memos, informant information, and officer personnel files. They leaked some data to pressure the MPD and eventually released a large portion when ransom negotiations failed. This incident brought significant law enforcement and media attention to the group.
Attacks on Large Enterprises (Early 2021): Before the MPD incident, Babuk successfully targeted several large corporations across various sectors, demanding ransoms reportedly ranging from $60,000 to over $85,000 USD (payable in Bitcoin), although exact figures and victim identities often remain undisclosed.
Post-Source Code Leak Proliferation (Late 2021 - Present): Following the leak in September 2021, security researchers observed a marked increase in ransomware attacks deploying Babuk code or close variants. These campaigns often lacked the sophistication of the original group but leveraged the potent encryption and ESXi-targeting capabilities of the leaked malware. Numerous smaller actors adopted the code, targeting a wider, less selective range of victims globally.
Emergence of Derivative Families: The leaked code served as a direct foundation for new ransomware operations. Nokoyawa ransomware, which appeared in early 2022, shares significant code overlap with Babuk. Other groups may have incorporated Babuk code snippets or techniques into their own custom malware, making direct lineage tracking complex but highlighting Babuk's enduring influence. Did you know 1006 cybercriminals arrested across Africa in Interpol’s Serengeti operation.
Defenses
Defending against Babuk and its derivatives requires a multi-layered security strategy focused on preventing initial access, detecting malicious activity early, and ensuring rapid recovery. Learn about a patch management strategy to keep the systems up to date.
Patch Management: Regularly patch systems and applications, especially public-facing ones like VPNs, RDP gateways, and web servers (e.g., Microsoft Exchange). Prioritize vulnerabilities known to be exploited by ransomware groups.
Secure Remote Access: Implement Multi-Factor Authentication (MFA) for all remote access, particularly RDP and VPNs. Disable RDP if not needed, or restrict access to specific trusted IP addresses. Use strong, unique passwords for all accounts.
Email Security: Deploy advanced email filtering solutions to block phishing attempts and malicious attachments. Conduct regular security awareness training for employees to help them identify and report phishing emails.
Endpoint Security: Utilize robust Endpoint Detection and Response (EDR) solutions with anti-ransomware capabilities. Keep antivirus signatures and behavioral detection engines up-to-date. Configure EDR/AV to block known Babuk indicators and TTPs (e.g., suspicious PowerShell commands,
vssadminabuse).Network Segmentation: Segment networks to limit lateral movement. Isolate critical assets and ensure that compromised systems cannot easily reach sensitive data stores or backup infrastructure.
Access Control: Enforce the principle of least privilege. Ensure users and service accounts only have the permissions necessary to perform their roles. Regularly audit administrative accounts and privileges.
Backup and Recovery: Implement a comprehensive backup strategy following the 3-2-1 rule (three copies, two different media types, one offsite/offline/immutable). Regularly test backup restoration procedures to ensure they work effectively. Protect backup systems themselves from attack.
Monitoring and Detection: Implement centralized logging and monitoring using a SIEM solution. Monitor for suspicious activities such as large data transfers (potential exfiltration using tools like Rclone), attempts to disable security tools, execution of
vssadmin, network scanning, and unusual login patterns. Monitor ESXi environments for signs of compromise.Incident Response Plan: Develop and maintain an incident response plan specifically addressing ransomware attacks. Ensure roles, responsibilities, communication channels, and recovery steps are clearly defined and regularly tested through tabletop exercises. Understand what is a Cyber Incident Response Plan.
Threat Intelligence: Stay informed about the latest Babuk variants, TTPs, and Indicators of Compromise (IoCs) through threat intelligence feeds and security community reports.
Conclusion
Babuk ransomware emerged as a potent threat in 2021, characterized by targeted attacks, strong encryption, and double extortion tactics. While the operational lifespan of the original group under the Babuk name was relatively short, its impact was significantly amplified by the unprecedented leak of its source code. This event democratized a capable ransomware toolset, enabling numerous cybercriminals to launch attacks based on its code, leading to the rise of variants and derivative families like Nokoyawa. Babuk's legacy highlights the volatility within cybercrime groups and the cascading effect that leaked malware can have on the threat landscape. Defending against Babuk and its progeny requires a vigilant, layered security posture focusing on prevention, detection, and robust recovery capabilities. Understanding its TTPs remains critical for organizations seeking to protect themselves from this persistent and evolving ransomware threat. Automating threat detection and incident response with SOAR is crucial to defend against modern threats.
Babuk Ransomware TTPs (MITRE ATT&CK)
The following table outlines common Tactics, Techniques, and Procedures associated with Babuk ransomware operations, based on observed attacks and analysis of the malware and leaked code. MITRE ATT&CK framework helps in threat hunting.
|
Tactic
|
Technique ID
|
Technique Name
|
Description
|
|---|---|---|---|
|
Initial Access
|
T1078
|
Valid Accounts
|
Using compromised credentials (e.g., RDP, VPN) to gain initial access.
|
|
T1190
|
Exploit Public-Facing Application
|
Exploiting vulnerabilities like ProxyShell in Microsoft Exchange or other web application flaws.
|
|
|
T1566
|
Phishing
|
Using spear-phishing emails with malicious attachments or links.
|
|
|
Execution
|
T1059.001
|
Command and Scripting Interpreter: PowerShell
|
Using PowerShell for reconnaissance, downloading tools, and executing commands.
|
|
T1059.003
|
Command and Scripting Interpreter: Windows Command Shell
|
Using batch scripts or command prompt for execution.
|
|
|
T1204.002
|
User Execution: Malicious File
|
Relies on user interaction to execute malicious payloads delivered via phishing or other means.
|
|
|
Persistence
|
T1547.001
|
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
|
Modifying registry keys or placing files in startup folders to maintain persistence.
|
|
T1053.005
|
Scheduled Task/Job: Scheduled Task
|
Creating scheduled tasks to execute payloads periodically or after reboot.
|
|
|
Privilege Escalation
|
T1078
|
Valid Accounts
|
Using stolen administrative credentials.
|
|
T1548.002
|
Abuse Elevation Control Mechanism: Bypass User Account Control
|
Bypassing UAC to execute processes with higher privileges.
|
|
|
T1068
|
Exploitation for Privilege Escalation
|
Exploiting local vulnerabilities to gain SYSTEM privileges.
|
|
|
Defense Evasion
|
T1562.001
|
Impair Defenses: Disable or Modify Tools
|
Terminating processes/services related to AV, EDR, backup software.
|
|
T1484.001
|
Domain Policy Modification: Group Policy Modification
|
Potentially modifying Group Policy to disable security features (less common but possible).
|
|
|
T1070.004
|
Indicator Removal on Host: File Deletion
|
Deleting logs or tools used during the attack.
|
|
|
T1562.009
|
Impair Defenses: Safe Mode Boot
|
Potentially rebooting into Safe Mode to bypass security tools (observed in some ransomware).
|
|
|
T1490
|
Inhibit System Recovery
|
Deleting Volume Shadow Copies using
vssadmin.exe. |
|
|
Credential Access
|
T1003
|
OS Credential Dumping
|
Using tools like Mimikatz to extract passwords and hashes from memory.
|
|
Discovery
|
T1082
|
System Information Discovery
|
Gathering information about the OS, hardware, and system configuration.
|
|
T1016
|
System Network Configuration Discovery
|
Identifying network settings, IP addresses, DNS servers, etc.
|
|
|
T1049
|
System Network Connections Discovery
|
Identifying active network connections to find other potential targets.
|
|
|
T1135
|
Network Share Discovery
|
Enumerating network shares to identify file servers and data repositories.
|
|
|
T1087.002
|
Account Discovery: Domain Account
|
Enumerating domain user and administrator accounts using tools like
net user /domain. |
|
|
Lateral Movement
|
T1021.001
|
Remote Services: Remote Desktop Protocol
|
Using RDP to move between systems with compromised credentials.
|
|
T1021.002
|
Remote Services: SMB/Windows Admin Shares
|
Using tools like PsExec or native commands to execute code on remote systems via SMB shares (e.g., C$).
|
|
|
T1021.006
|
Remote Services: Windows Remote Management
|
Using WinRM/WMI for lateral movement.
|
|
|
Collection
|
T1005
|
Data from Local System
|
Collecting files from local drives.
|
|
T1039
|
Data from Network Shared Drive
|
Collecting files from accessible network shares.
|
|
|
T1119
|
Automated Collection
|
Scripting the collection of specific file types or data from discovered locations.
|
|
|
Command and Control
|
T1071.001
|
Application Layer Protocol: Web Protocols
|
Using HTTP/HTTPS for C2 communication, often via TOR for anonymity.
|
|
T1105
|
Ingress Tool Transfer
|
Downloading additional tools (Cobalt Strike, Mimikatz, Rclone) from attacker-controlled servers.
|
|
|
Exfiltration
|
T1041
|
Exfiltration Over C2 Channel
|
Sending stolen data back through the established C2 channel.
|
|
T1567.002
|
Exfiltration Over Web Service: Exfiltration to Cloud Storage
|
Uploading stolen data to legitimate cloud services like MEGA, Dropbox, etc., using tools like Rclone.
|
|
|
Impact
|
T1486
|
Data Encrypted for Impact
|
Encrypting files on local systems and network shares using ChaCha8/SOSEMANUK and Curve25519.
|
|
T1490
|
Inhibit System Recovery
|
Deleting backups or shadow copies to prevent recovery.
|
|
|
T1491.001
|
Defacement: Internal Defacement
|
Leaving ransom notes on compromised systems.
|
|
|
T1485
|
Data Destruction
|
While primarily encryption, faulty implementation or deliberate action could lead to data loss.
|
|
|
T1489
|
Service Stop
|
Stopping services (databases, backups) before encryption.
|
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
• Ransomware Attacks Surge in 2025, But Payouts Decline Sharply
• REvil
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 19, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 19, 2025
