Less than two weeks after the source code for the Paradise ransomware was released on the Russian-speaking hacker forum XSS, security researchers noticed that a builder for the infamous Babuk Loker ransomware leaked online prompting concern that cybercriminals could use it to develop their own ransomware strains.

The news was first reported by the news website The Record that obtained and tested a copy of the Babuk Locker “builder”. The builder allows to create custom versions of the Babuk Locker ransomware that can be used to encrypt files hosted on Windows systems, ARM-based network storage attached (NAS) devices, and VMWare ESXi servers. It also generates a decryptor for recovering encrypted files for every Babuk encrypter generated through the app.

The builder was uploaded on the VirusTotal malware scanning service and was discovered by British cybersecurity researcher Kevin Beaumont.

At the moment, it’s unclear if the cybercriminals behind the Babuk Loker ransomware tried to sell their ransomware builder to a third party in a transaction that went bad, or if the builder was leaked by a rival or a white-hat security researcher, The Record wrote.

In April this year, the Babuk Loker ransomware gang breached servers of the Metropolitan Police Department, also known as the DC Police or MPD, encrypted files and demanded a $4 million ransom. At the time, the group claimed to have stolen more than 250 gigabytes of data from MPD, including data on informants and police personnel.

In May, the group rebranded their ransomware leak site into Payload.bin and started offering it to other gangs to use it as a platform for publishing data stolen from their victims.