The Babuk ransomware group is now leaking the entire set of data it has stolen from the Washington D.C. Metro Police about three weeks ago, as the negotiations have apparently reached a dead end. According to the announcement posted on Babuk’s dark web extortion portal, 250GB of sensitive data will be made available to anyone for the next eight months, giving thousands the chance to download and use them as they please. The data includes full HR details, the full gang database, and a lot more.
Two days ago, another update was posted on the Babuk site, presenting screenshots of what was allegedly a chat with a representative of the D.C. Metro Police. According to these screenshots, which could be false or fabricated, the police offered to pay a maximum of $100,000, whereas Babuk asked for a figure of around $4,000,000. This was unacceptable by the actors, so they decided to end the negotiations and proceed with the full publication of the stolen data.
The actors write that even if the police now offer them double the amount they’ve requested, they won’t retract the publication of the data, so there’s no way to find a resolution to this anymore. As the hacker says, the police had many chances to resolve the issue, but they wasted them all. It certainly sounds like the actor is frustrated from the offer they got - if they really got one.
In the meantime, Babuk’s operator is informing the public that the source code of the ransomware strain has now been passed to another group of a different brand. The service will continue, but without encrypting machines on the compromised networks. Instead, it will focus on data access, exfiltration, controlled leak, and extortion.
We knew about this shift in focus since the start of the month when the ransomware actors gave an interview on a Czech media outlet. The first notable attack that followed (against Yamabiko) had the characteristics of an “encryption-less” incident.
Meanwhile, ransomware expert Michael Gillespie has told us that Babuk’s strain isn’t very powerful or free of bugs, so whoever bought it from them isn’t set to have a very successful run in the future. That is unless they are capable malware authors themselves and can fix all decryption weaknesses, but in that case, why would they buy the tool in the first place?