[BreachExchange] Leaked Babuk Locker ransomware builder used in new attacks

[Sophia Kingsbury]

https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/

A leaked tool used by the Babuk Locker operation to create custom
ransomware executables is now being used by another threat actor in a very
active campaign targeting victims worldwide.

Babuk Locker was a ransomware operation that launched at the beginning of
2021 when it began targeting corporate victims and stealing their data in
double-extortion attacks.

After performing an attack on Washinton DC's Metropolitan Police Department
(MPD) and feeling the pressure from law enforcement, the ransomware gang
shut down in April and switched to a non-encrypting data extortion model
under the name PayLoad Bin.

Babuk Locker builder leaked

Last week, security researcher Kevin Beaumont discovered that someone
uploaded the Babuk operation's ransomware builder to VirusTotal.

When BleepingComputer tested the builder, it was simplistic to generate a
customized ransomware.

All a threat actor has to do is modify the enclosed ransom note to include
their own contact info, and then run the build executable to create
customized ransomware encryptors and decryptors that target Windows, VMware
ESXi, Network Attached Storage (NAS) x86, and NAS ARM devices.

Babuk builder used to launch new attacks

Soon after the builder was leaked online, a threat actor began using it to
launch a very active ransomware campaign.

Starting on Tuesday, a victim reported on Reddit that they were hit by
ransomware calling itself 'Babuk Locker.'

Security researcher MalwareHunterTeam also told BleepingComputer that ID
Ransomware received a sharp spike in Babuk Locker submissions starting on
June 29th. These victims are from all over the world, and the submitted
ransom notes all contained the email address of the threat actor.

Like the original operation, this ransomware attack adds the .babyk
extension to encrypted file names and drops a ransom note named How To
Restore Your Files.txt.

Compared to the original Babuk Ransomware operation that demanded hundreds
of thousands, if not millions, of dollars to recover their files, this new
threat actor is only asking for .006 bitcoins or approximately $210 from
their victims.

The new threat actors also misspelled Babuk by adding a 'C' to 'Babuck
Locker' in the ransom note.

Another noticeable change is that the original Babuk Locker operation
utilized a dedicated Tor payment site used to negotiate with victims.
However, the new attacks are using email to communicate with victims
through a babukransom at tutanota.com email address.

It is unclear how the ransomware is being distributed, but we have created
a dedicated Babuck Locker support topic that victims can use to share more
information about the attack.

If anyone pays the ransom demand for this new ransomware campaign, please
let us know as we would like to ask you some private questions.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210701/ad59a035/attachment.html>