Fraud Management & Cybercrime , Fraud Risk Management , Malware as-a-Service

Babuk to Close Ransomware Operation After DC Police Attack

Gang Will Provide Malware Code to Other Attackers Rather Than Release Decryptor
Babuk to Close Ransomware Operation After DC Police Attack
The retirement notice posted this week by Babuk on its darknet website

The Babuk ransomware gang says it will no longer launch attacks but instead will make its malware source code available for other attackers to use.

See Also: Global Threat Report 2024: Executive Summary

Babuk, which took credit for the ransomware attack that targeted the Washington, D.C. Metropolitan Police Department this week, says in a notice posted on its darknet website: "The babuk project will be closed, its source code will be made publicly available, we will do something like Open Source RaaS, everyone can make their own product based on our product."

The ransomware gang, whose activity was first spotted in December 2020, also recently attacked the Houston Rockets basketball team.

In recent months, other ransomware gangs, including Maze, Ziggy and Fonix announced that they have abandoned their activity. But these groups all released their ransomware's decryptor keys, allowing the victims to regain access to their data.

Babuk apparently has made no such offer.

Retired for Good?

Researchers note cybercriminal gangs often claim to shut down but then reappear under a new guise.

"Ransom actors are professional liars and scammers; to believe anything they say is a mistake," Adam Kujawa, director of Malwarebytes Labs, said when Maze announced its retirement.

Brett Callow, a threat analyst with the security firm Emsisoft, says Babuk likely decided to end its ransomware operation, in part, because of the widespread coverage of its D.C. police attack and problems with its malicious code.

"I suspect that Babuk simply got cold feet as a result of the attention the MPD incident generated. This is not a sophisticated group, and they may simply have decided to quit while ahead," he says. "Unfortunately, it seems that they plan to continue operations on a RaaS [ransomware-as-a-service] basis."

Emsisoft has noted several defects in Babuk's encryption and decryption code when an attack involves ESXi servers, leading to a total loss of data for the victim. That's why Callow says the group's RaaS offering will likely be unpopular with other attackers.

"Given that their code sucks to the point of causing even victims who pay to lose data, smarter cybercriminals will likely find other affiliate opportunities to be far more attractive," Callow says.

Babuk's coding flaws were initially spotted by Chuong Dong, a student at Georgia Tech.

After the code problems were revealed, Babuk launched a public relations campaign declaring it had fixed the flaw in its decryptor, so its victims needed to pay a ransom to receive it.

"Not so long ago, Emsisoft found a bug in our ESX descriptor, it broke some vhdx disks of the Vmware hypervisor. We immediately corrected this error," Babuk said in a statement posted to its dark web site on April 18.

Callow, however, says Emsisoft has found no proof that the code has been repaired.

The Washington Police Attack

Babuk has continued to attempt to extort money from the Washington, D.C. police department. After an initial post on Monday claiming responsibility and noting that it had taken 250GB of data from the department's network, Babuk upped the ante the same day with a second post threatening to leak the data unless a ransom was paid.

On Wednesday, the gang began posting, and then quickly pulling down, information purportedly taken from the police system. This included files on police informants and information on job applicants.

A screenshot of the documents Babuk claimed it had removed from the D.C. police system that was posted to its website this week

The Metropolitan Police Department confirmed an attack took place but gave no further details on the type of incident or the impact it has had on the department's systems.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.