Babuk – How a Newcomer soon becomes a Growing Ransomware Threat

Table of Contents


After its discovery at the beginning of year 2021, the Babuk ransomware gang is becoming a growing threat to multiple sectors- healthcare, manufacturing, and logistics. It has been quite active lately and demanding ransom of thousands of dollars from the victims.

In a month alone, the gang has attacked several organizations, including Houston Rockets, Phone House Spain, Washington D.C. Metropolitan Police Department, and Telethon: biotech.

According to recent reports, the Babuk gang of threat actors claims to have stolen more than 250 gigabytes of data from the Washington D.C. Metropolitan Police Department (MPD). The stolen data includes police reports, internal memos, and personal details and mug shots of arrested people. The data were published on Babuk’s official website along with the claim. They even threatened to publish yet more data if their extortion demands aren’t met.

The attackers reportedly also commented on the security system of MPD. They wrote, “Even such an organization has huge security gaps, we advise them to get in touch as soon as possible and pay us, otherwise we will publish this data”.

Why Babuk is a growing threat?

Criminals behind ransomware typically practice the double extortion technique. After stealing data, operators lock up files and demands double extortion. The ransom payment demands for the attackers generally range from $60,000 to $85,000. Keeping this in mind, MPD didn’t acknowledge that files were locked. If it turns out that files were encrypted, that could have been yet another double-extortion attempt.

The Babuk gang has recently installed new features to ensure encryption of victim machines before the ransomware gets deployed. The gang has also set up a website to leak data and pressure victims into paying the ransom.

How do they operate?

If we see Babuk’s history, they usually post the stolen files as a way of applying thumbscrews. This tactic has worked, making victims pay up. Although Babuk is a newcomer to this particular crimeware niche, they have already lobbed at least five big enterprises. The outsourcing firm Serco, is one of its victims that confirmed being slammed with a double extortion ransomware attack in late January this year.

Babuk ransomware operates on RaaS model that is a ransomware-as-a-service. The criminals make their affiliates do the mucky job while the developer got to take a bite of the profits.

Babuk group set multiple infection vectors that include email phishing where the group sends an initial email linked to a different malware strain, Trickbot or Emotet, which acts as a loader. The gang exploits publicly disclosed but unpatched common vulnerabilities and exposures. This is especially done in remote access software, network edge hardware, web servers, and firewalls. Further, the group breaks inside victim’s targeted network, using valid (compromised) accounts. Typically, this is done through weakly protected RDP access with credentials acquired via commodity info stealers.

Sectors which are Easy Picks for Ransomware Gang

Unfortunately, police departments are among the scads of schools and state and local government bodies that have proved to be easy pickings for attackers. There are reports saying Babuk is currently targeting different sectors across multiple geographies- agricultural, electronics, healthcare, plastic and transportation. Some more similar attacks with the same tactics are expected to occur in near time. The concern has grown after Babuk posts an advertisement to recruit affiliates to put its malware into action on the Dark Web meeting place.

Babuk ransomware though the youngest among ransomware gangs, started operations this year beginning, they have become a growing threat. In a very short span, it has secured its name into the list of dreadful ransomware groups. Security researchers have got their eyes open to put a cap on the progress of this Babuk ransomware threat.


Leave a Reply

Your email address will not be published. Required fields are marked *