Is Babuk Back? Uncovering the Truth Behind Babuk Locker 2.0

Babuk ransomware, originally identified in early 2021, quickly established itself as a formidable threat targeting large enterprises through a Ransomware-as-a-Service (RaaS) model. Distinctive for its cross-platform capabilities, the malware targeted both Windows and ESXi environments, employing a "double extortion" tactic where victim data was stolen prior to encryption. The operations of the group faced interruptions in September 2021 when a key member disclosed the entire source code, resulting in the emergence of several variant strains like Play and RTM Locker.

In January 2025, a new entity styling itself as "Babuk Locker 2.0" emerged, claiming a resurgence of the original group. However, comprehensive analysis indicates this is a deceptive operation rather than a genuine return. The actors behind this campaign, likely "Skywave" and "Bjorka," appear to be capitalizing on the notorious brand name while lacking the original group's technical infrastructure. Technical examination of the 2025 "Babuk" payload reveals it is actually a rebranded compilation of the LockBit 3.0 (Black) ransomware. Furthermore, the group's alleged victim list consists largely of recycled data from previous breaches, including the 2021 Washington D.C. Metropolitan Police Department incident, or cross-claims from other active groups like RansomHub. Consequently, Babuk Locker 2.0 represents a "re-extortion" and reputation hijacking campaign rather than a novel ransomware threat.

How Does Babuk Ransomware (2021) Work?

The original Babuk ransomware was a sophisticated, multi-platform threat designed to target enterprise environments. It operated under a RaaS model, recruiting affiliates to deploy the locker in exchange for a profit share.

Evasion and System Preparation

Before encryption, Babuk disabled system defenses and recovery options. Recovery was inhibited by deleting Windows Shadow Copies via the following command [1]:

The ransomware utilized the Windows Restart Manager API (RmStartSession, RmShutdown) to close open file handles, ensuring files could be overwritten [2].

It also aggressively terminated a hardcoded list of services and processes related to backups, databases, and security software [1]. This "aggressive termination" is a preparation step designed to ensure the victim has no defenses active, no backups available, and no data left unencrypted.

Cross-Platform Targeting and Encryption

Babuk was distinct for its early adoption of cross-platform capabilities, compiling effective encryptors for both Windows and Linux environments [3].

The malware initially utilized a combination of ChaCha8 for file encryption and Elliptic-curve Diffie-Hellman (ECDH) for key exchange. Later versions transitioned to HC-128 for file encryption to improve speed, paired with Curve25519 for key protection [1] [3]. This robust cryptography rendered unauthorized decryption impossible without the private key.

To ensure only one instance ran simultaneously, the malware created a distinctive mutex. In later versions, this mutex included a taunt directed at a security researcher, Chuong Dong, who analyzed a Babuk variant. Also, some versions of the malware appended a footer to encrypted files with the text "choung dong looks like hot dog!!" [1] .

This interaction highlights a feedback loop in the cybercrime ecosystem: threat actors don’t just write code; they are also the consumers of the security blogs meant to stop them. They analyze the analysts, patching their vulnerabilities and, in cases like this, using the code itself to send a message back to the researchers hunting them.

To maintain system stability during the attack, specific directories and files were whitelisted from encryption [1]:

The whitelist reveals the pragmatic nature of modern ransomware. The attackers are not destroying data indiscriminately; they are carefully curating the destruction. By sparing the Boot Configuration (bootmgr), the OS Core (Windows), and Web Browsers, they ensure the victim retains just enough functionality to perform exactly one task: paying the ransom.

In the end, encrypted files were appended with the .babyk extension [1] and "How To Restore Your Files.txt" ransom note was dropped [2].

The Source Code Leak

The group's operations unraveled in 2021 due to an internal cause. A developer, reportedly aged 17 and claiming critical illness, leaked the full source code on a Russian-speaking hacking forum. This leak included source code for Windows and ESXi encryptors, decryptors, and key generators [4]. The availability of this code led to a proliferation of new ransomware families that adopted Babuk's encryption routines, such as Play and RTM Locker [5].

Babuk Source Code Leak (Source: Bleeping Computer [4])

The "Babuk 2" Deception (2025)

In January 2025, a new campaign appeared using the name "Babuk Locker 2.0". Despite claims of a return, multiple researchers have confirmed that Babuk Locker 2.0 is not a continuation of the original group, which ceased operations in 2021. Instead, it is an impostor campaign run by actors likely associated with the groups "Bjorka" and "SkyWave," designed to capitalize on the original group's infamy [5] [6]. The following evidence debunks their claims of a return.

The Malware is Actually LockBit 3.0

Technical analysis of the encryptor advertised by Babuk2 reveals it is not Babuk code, but rather a rebrand of LockBit 3.0 (LockBit Black) [7].

• The sample uses LockBit's specific wallpaper and ransom note generation routines [7].
• The "Affiliate Program" rules posted by Babuk2 were largely plagiarized from LockBit’s documentation, including references to being the "oldest" program and having a "bug bounty" [5].

The Data is Recycled and Falsified

Babuk2 attempts to extort victims using data that was already stolen or leaked by other groups.

• A significant number of victims listed on Babuk2's leak site were previously claimed by other groups like RansomHub and FunkSec [6].

• In the case of three Chinese e-commerce giants, the data provided was found to be formatted sample files or historical data from third-party channels, with no evidence of a recent intrusion [5].

• Proof-of-breach screenshots for targets like the Washington D.C. Police Department contained file dates from 2021, proving the actors were recycling old leaks from the original Babuk group [6].

Amateurish and Chaotic Behavior

Unlike established ransomware cartels that maintain strict professional discipline, Babuk2 exhibits erratic behavior typical of scammers or opportunists.

• The group publicly solicited cryptocurrency donations on their site, a tactic associated with hacktivists rather than professional ransomware operators [6].
• The actors have attempted to mimic the persona of the original Babuk leadership, specifically "Wazawaka" (Mikhail Matveev). They posted transcripts of his old videos, and FBI wanted posters to feign legitimacy, though they made embarrassing errors, such as misspelling his alias as "Mr. Mazalakov" [6].

How Picus Simulates Babuk Ransomware Attacks?

We also strongly suggest simulating Babuk Ransomware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Warlock, BlackCat, Black Basta, and Akira, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for the Babuk Ransomware Attacks:

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.

Key Takeaways

• Babuk Locker 2.0 is a deceptive operation capitalizing on the notorious brand name rather than a genuine return of the original group.
• Technical analysis confirms the 2025 payload is a rebranded compilation of LockBit 3.0 ransomware rather than the original Babuk code.
• The campaign relies on "re-extortion" tactics, utilizing recycled data from historical breaches and cross-claims from other active ransomware groups.
• The original Babuk malware was known for its cross-platform capabilities and aggressive evasion techniques, such as deleting Windows Shadow Copies and terminating backup services.
• The 2021 leak of the original source code led to the proliferation of variant strains like Play and RTM Locker.
• The Picus Security Validation Platform allows organizations to simulate Babuk and LockBit 3.0 ransomware attacks to validate the effectiveness of security controls.

References

[1] “Threat analysis: Babuk ransomware,” Acronis. Accessed: Feb. 03, 2026. [Online]. Available: https://www.acronis.com/en/blog/posts/babuk-ransomware/

[2] Gil, “Babuk Locker,” Cyberint. Accessed: Feb. 03, 2026. [Online]. Available: https://cyberint.com/blog/research/babuk-locker/

[3] “Babuk Ransomware: In-Depth Analysis, Detection, Mitigation, and Removal,” SentinelOne. Accessed: Feb. 03, 2026. [Online]. Available: https://www.sentinelone.com/anthology/babuk/

[4] L. Abrams, “Babuk ransomware’s full source code leaked on hacker forum,” BleepingComputer. Accessed: Feb. 03, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/

[5] NSFOCUS, “A Deep Analysis of the Ransomware Group Babuk2’s Recent Activities - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks,” NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. Accessed: Feb. 03, 2026. [Online]. Available: https://nsfocusglobal.com/a-deep-analysis-of-the-ransomware-group-babuk2s-recent-attacks/

[6] A. Sentsova, “Babuk Impersonators Leverage a Brand Name & Previously Stolen Data to Engage in Re-Extortions,” Analyst1. Accessed: Feb. 03, 2026. [Online]. Available: https://analyst1.com/babuk-impersonators-leverage-a-brand-name-previously-stolen-data-to-engage-in-re-extortions/

[7] Rapid, “A Rebirth of a Cursed Existence? - The Babuk Locker 2.0,” Rapid7. Accessed: Feb. 03, 2026. [Online]. Available: https://www.rapid7.com/blog/post/2025/04/02/a-rebirth-of-a-cursed-existence-the-babuk-locker-2-0/