Babuk ransomware, originally identified in early 2021, quickly established itself as a formidable threat targeting large enterprises through a Ransomware-as-a-Service (RaaS) model. Distinctive for its cross-platform capabilities, the malware targeted both Windows and ESXi environments, employing a "double extortion" tactic where victim data was stolen prior to encryption. The operations of the group faced interruptions in September 2021 when a key member disclosed the entire source code, resulting in the emergence of several variant strains like Play and RTM Locker.
In January 2025, a new entity styling itself as "Babuk Locker 2.0" emerged, claiming a resurgence of the original group. However, comprehensive analysis indicates this is a deceptive operation rather than a genuine return. The actors behind this campaign, likely "Skywave" and "Bjorka," appear to be capitalizing on the notorious brand name while lacking the original group's technical infrastructure. Technical examination of the 2025 "Babuk" payload reveals it is actually a rebranded compilation of the LockBit 3.0 (Black) ransomware. Furthermore, the group's alleged victim list consists largely of recycled data from previous breaches, including the 2021 Washington D.C. Metropolitan Police Department incident, or cross-claims from other active groups like RansomHub. Consequently, Babuk Locker 2.0 represents a "re-extortion" and reputation hijacking campaign rather than a novel ransomware threat.
The original Babuk ransomware was a sophisticated, multi-platform threat designed to target enterprise environments. It operated under a RaaS model, recruiting affiliates to deploy the locker in exchange for a profit share.
Before encryption, Babuk disabled system defenses and recovery options. Recovery was inhibited by deleting Windows Shadow Copies via the following command [1]:
|
"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet |
The ransomware utilized the Windows Restart Manager API (RmStartSession, RmShutdown) to close open file handles, ensuring files could be overwritten [2].
It also aggressively terminated a hardcoded list of services and processes related to backups, databases, and security software [1]. This "aggressive termination" is a preparation step designed to ensure the victim has no defenses active, no backups available, and no data left unencrypted.
|
Example Terminated Services: VSS, Veeam, BackupExec Services, Sophos ... |
Babuk was distinct for its early adoption of cross-platform capabilities, compiling effective encryptors for both Windows and Linux environments [3].
The malware initially utilized a combination of ChaCha8 for file encryption and Elliptic-curve Diffie-Hellman (ECDH) for key exchange. Later versions transitioned to HC-128 for file encryption to improve speed, paired with Curve25519 for key protection [1] [3]. This robust cryptography rendered unauthorized decryption impossible without the private key.
To ensure only one instance ran simultaneously, the malware created a distinctive mutex. In later versions, this mutex included a taunt directed at a security researcher, Chuong Dong, who analyzed a Babuk variant. Also, some versions of the malware appended a footer to encrypted files with the text "choung dong looks like hot dog!!" [1] .
|
Mutex Name: DoYouWantToHave***WithCuongDong |
This interaction highlights a feedback loop in the cybercrime ecosystem: threat actors don’t just write code; they are also the consumers of the security blogs meant to stop them. They analyze the analysts, patching their vulnerabilities and, in cases like this, using the code itself to send a message back to the researchers hunting them.
To maintain system stability during the attack, specific directories and files were whitelisted from encryption [1]:
|
Excluded Folders: Windows, Tor Browser, Google, Mozilla, Internet Explorer ... |
The whitelist reveals the pragmatic nature of modern ransomware. The attackers are not destroying data indiscriminately; they are carefully curating the destruction. By sparing the Boot Configuration (bootmgr), the OS Core (Windows), and Web Browsers, they ensure the victim retains just enough functionality to perform exactly one task: paying the ransom.
In the end, encrypted files were appended with the .babyk extension [1] and "How To Restore Your Files.txt" ransom note was dropped [2].
The group's operations unraveled in 2021 due to an internal cause. A developer, reportedly aged 17 and claiming critical illness, leaked the full source code on a Russian-speaking hacking forum. This leak included source code for Windows and ESXi encryptors, decryptors, and key generators [4]. The availability of this code led to a proliferation of new ransomware families that adopted Babuk's encryption routines, such as Play and RTM Locker [5].
Babuk Source Code Leak (Source: Bleeping Computer [4])
In January 2025, a new campaign appeared using the name "Babuk Locker 2.0". Despite claims of a return, multiple researchers have confirmed that Babuk Locker 2.0 is not a continuation of the original group, which ceased operations in 2021. Instead, it is an impostor campaign run by actors likely associated with the groups "Bjorka" and "SkyWave," designed to capitalize on the original group's infamy [5] [6]. The following evidence debunks their claims of a return.
Technical analysis of the encryptor advertised by Babuk2 reveals it is not Babuk code, but rather a rebrand of LockBit 3.0 (LockBit Black) [7].
Babuk2 attempts to extort victims using data that was already stolen or leaked by other groups.
A significant number of victims listed on Babuk2's leak site were previously claimed by other groups like RansomHub and FunkSec [6].
In the case of three Chinese e-commerce giants, the data provided was found to be formatted sample files or historical data from third-party channels, with no evidence of a recent intrusion [5].
Proof-of-breach screenshots for targets like the Washington D.C. Police Department contained file dates from 2021, proving the actors were recycling old leaks from the original Babuk group [6].
Unlike established ransomware cartels that maintain strict professional discipline, Babuk2 exhibits erratic behavior typical of scammers or opportunists.
We also strongly suggest simulating Babuk Ransomware Attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as Warlock, BlackCat, Black Basta, and Akira, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for the Babuk Ransomware Attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
89603 |
LockBit 3.0 Ransomware Download Threat - 2 |
Network Infiltration |
|
22700 |
LockBit 3.0 Ransomware Email Threat - 2 |
E-mail Infiltration |
|
37360 |
Babuk Ransomware Email Threat |
E-mail Infiltration |
|
35512 |
Babuk Ransomware Downloader Email Threat |
E-mail Infiltration |
|
99381 |
Babuk Locker Ransomware Email Threat |
E-mail Infiltration |
|
82682 |
Babuk Locker Ransomware Download Threat |
Network Infiltration |
|
40913 |
Babuk Ransomware Downloader Download Threat |
Network Infiltration |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] “Threat analysis: Babuk ransomware,” Acronis. Accessed: Feb. 03, 2026. [Online]. Available: https://www.acronis.com/en/blog/posts/babuk-ransomware/
[2] Gil, “Babuk Locker,” Cyberint. Accessed: Feb. 03, 2026. [Online]. Available: https://cyberint.com/blog/research/babuk-locker/
[3] “Babuk Ransomware: In-Depth Analysis, Detection, Mitigation, and Removal,” SentinelOne. Accessed: Feb. 03, 2026. [Online]. Available: https://www.sentinelone.com/anthology/babuk/
[4] L. Abrams, “Babuk ransomware’s full source code leaked on hacker forum,” BleepingComputer. Accessed: Feb. 03, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/
[5] NSFOCUS, “A Deep Analysis of the Ransomware Group Babuk2’s Recent Activities - NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks,” NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. Accessed: Feb. 03, 2026. [Online]. Available: https://nsfocusglobal.com/a-deep-analysis-of-the-ransomware-group-babuk2s-recent-attacks/
[6] A. Sentsova, “Babuk Impersonators Leverage a Brand Name & Previously Stolen Data to Engage in Re-Extortions,” Analyst1. Accessed: Feb. 03, 2026. [Online]. Available: https://analyst1.com/babuk-impersonators-leverage-a-brand-name-previously-stolen-data-to-engage-in-re-extortions/
[7] Rapid, “A Rebirth of a Cursed Existence? - The Babuk Locker 2.0,” Rapid7. Accessed: Feb. 03, 2026. [Online]. Available: https://www.rapid7.com/blog/post/2025/04/02/a-rebirth-of-a-cursed-existence-the-babuk-locker-2-0/