It appears that the tool with which one can build the ‘Babuk Locker’ ransomware has now leaked online and is available to anyone interested in getting a copy for free. TheRecord has obtained a copy and tested the builder to see if it’s legit, and they confirmed that it appears to be the real deal.
Babuk ran its ransomware operations for only a short while but managed to achieve notable success nonetheless, with widely publicized incidents like the attack on the Washington D.C. Metropolitan Police, the Houston Rockets, and Yamabiko.
Soon, the group’s main operator decided to sell the source code to other actors and focus on an encryption-less style of attacks, just stealing data from the compromised networks and then extorting the victims to pay a ransom. Indeed, by the start of this month, we saw Babuk launching a new portal called ‘Payload Bin’ and exiting the encryption game for good.
The details behind the leak of the building tool are unclear right now, and it could be that the person who bought it from Babuk just published it or that this is the result of a compromise. Whatever happened, the key takeaway from this is that a powerful ransomware tool is now circulating freely on hacking forums, and there are many malicious actors who would be eager to experiment with it.
Whenever something like that happens, two main forces come into play. One is a natural uptick in the deployment of the leaked malware, and the second is the white-hat community being given an excellent opportunity to analyze the nasty code and create a matching defense and decryption tool. Unfortunately, only the first aspect is guaranteed, so attempts to infect systems with Babuk Locker will definitely see a rise now.
As TheRecord reports, this leak almost coincides with the leak of the ‘Paradise’ ransomware builder on a popular underground forum, which is a weird coincidence for sure. Whether or not the two occurrences are linked in any way, though, remains a question.