Fraud Management & Cybercrime , Fraud Risk Management , Malware as-a-Service
Babuk to Close Ransomware Operation After DC Police Attack
Gang Will Provide Malware Code to Other Attackers Rather Than Release DecryptorThe Babuk ransomware gang says it will no longer launch attacks but instead will make its malware source code available for other attackers to use.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
Babuk, which took credit for the ransomware attack that targeted the Washington, D.C. Metropolitan Police Department this week, says in a notice posted on its darknet website: "The babuk project will be closed, its source code will be made publicly available, we will do something like Open Source RaaS, everyone can make their own product based on our product."
The ransomware gang, whose activity was first spotted in December 2020, also recently attacked the Houston Rockets basketball team.
In recent months, other ransomware gangs, including Maze, Ziggy and Fonix announced that they have abandoned their activity. But these groups all released their ransomware's decryptor keys, allowing the victims to regain access to their data.
Babuk apparently has made no such offer.
Retired for Good?
Researchers note cybercriminal gangs often claim to shut down but then reappear under a new guise.
"Ransom actors are professional liars and scammers; to believe anything they say is a mistake," Adam Kujawa, director of Malwarebytes Labs, said when Maze announced its retirement.
Brett Callow, a threat analyst with the security firm Emsisoft, says Babuk likely decided to end its ransomware operation, in part, because of the widespread coverage of its D.C. police attack and problems with its malicious code.
"I suspect that Babuk simply got cold feet as a result of the attention the MPD incident generated. This is not a sophisticated group, and they may simply have decided to quit while ahead," he says. "Unfortunately, it seems that they plan to continue operations on a RaaS [ransomware-as-a-service] basis."
Emsisoft has noted several defects in Babuk's encryption and decryption code when an attack involves ESXi servers, leading to a total loss of data for the victim. That's why Callow says the group's RaaS offering will likely be unpopular with other attackers.
"Given that their code sucks to the point of causing even victims who pay to lose data, smarter cybercriminals will likely find other affiliate opportunities to be far more attractive," Callow says.
Babuk's coding flaws were initially spotted by Chuong Dong, a student at Georgia Tech.
I guess that my favorite ransomware group is in their end game now. Did not expect the #Babuk team to stop here, but I'm glad they do.
— Chuong Dong (@cPeterr) April 29, 2021
Also glad that they got my name right for once https://t.co/tjuxdVjVTF pic.twitter.com/XRXFKDyU6T
After the code problems were revealed, Babuk launched a public relations campaign declaring it had fixed the flaw in its decryptor, so its victims needed to pay a ransom to receive it.
"Not so long ago, Emsisoft found a bug in our ESX descriptor, it broke some vhdx disks of the Vmware hypervisor. We immediately corrected this error," Babuk said in a statement posted to its dark web site on April 18.
Callow, however, says Emsisoft has found no proof that the code has been repaired.
The Washington Police Attack
Babuk has continued to attempt to extort money from the Washington, D.C. police department. After an initial post on Monday claiming responsibility and noting that it had taken 250GB of data from the department's network, Babuk upped the ante the same day with a second post threatening to leak the data unless a ransom was paid.
On Wednesday, the gang began posting, and then quickly pulling down, information purportedly taken from the police system. This included files on police informants and information on job applicants.
The Metropolitan Police Department confirmed an attack took place but gave no further details on the type of incident or the impact it has had on the department's systems.