[BreachExchange] The builder for Babuk Locker ransomware was leaked online

[Sophia Kingsbury]

https://www.cyberdefensemagazine.com/the-builder/

The Record first reported that the builder for the Babuk Locker ransomware
was leaked online, threat actors could use it to create their own version
of the popular ransomware.

The Babuk Locker operators halted their operations at the end of April
after the attack against the Washington, DC police department. Experts
believe that the decision of the group to leave the ransomware practice
could be the result of an operational error, it was a bad idea to threaten
the US police department due to the information that it manages.

The ransomware gang broke into the Washington, D.C., Metropolitan Police
Department, encrypted its files and demanded a $4 million ransom. The Babuk
ransomware claimed to have stolen 250GB of files, including personal data
of police personnel and informers.

At the end of May, the Babuk ransomware operators rebranded their
ransomware leak site into Payload.bin and started offering the opportunity
to other gangs to use it to leak data stolen from their victims.

The Record experts this week obtained and analyzed a copy of the builder
and confirmed that it allows creating custom versions of the Babuk Locker
ransomware that works for Windows systems, ARM-based network storage
attached (NAS) devices, and VMWare ESXi servers.

“According to a copy of the leak, obtained and tested by The Record, the
Babuk Locker “builder” can be used to create custom versions of the Babuk
Locker ransomware that can be used to encrypt files hosted on Windows
systems, ARM-based network storage attached (NAS) devices, and VMWare ESXi
servers.” reported The Record. “At the time of writing, it is unclear if
the Babuk gang tried to sell their ransomware builder to a third party in a
transaction that went bad, or if the builder was leaked by a rival or a
white-hat security researcher.”

The available builder also generates decrypters that could be used by
victims to recover the encrypted files.

The builder was uploaded on the VirusTotal malware scanning service and was
discovered by the popular cybersecurity expert Kevin Beaumont.

Recently another ransomware builder was leaked online, the source code for
the Paradise Ransomware has been released on the hacking forum XSS allowing
threat actors to develop their own customized ransomware operation. The
news of the availability of the source code was first reported by Tom
Malka, a senior threat intelligence analyst for security firm Security, who
reported it to BleepingComputer and The Record.

The availability of these builders online is worrisome because other
cybercrime organizations could enter the cyber arena using their own
ransomware to target organizations worldwide.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210630/d0ad8604/attachment.html>