29 June 2021

Builder for Babuk Loker ransomware leaks online


Builder for Babuk Loker ransomware leaks online

Less than two weeks after the source code for the Paradise ransomware was released on the Russian-speaking hacker forum XSS, security researchers noticed that a builder for the infamous Babuk Loker ransomware leaked online prompting concern that cybercriminals could use it to develop their own ransomware strains.

The news was first reported by the news website The Record that obtained and tested a copy of the Babuk Locker “builder”. The builder allows to create custom versions of the Babuk Locker ransomware that can be used to encrypt files hosted on Windows systems, ARM-based network storage attached (NAS) devices, and VMWare ESXi servers. It also generates a decryptor for recovering encrypted files for every Babuk encrypter generated through the app.

The builder was uploaded on the VirusTotal malware scanning service and was discovered by British cybersecurity researcher Kevin Beaumont.

At the moment, it’s unclear if the cybercriminals behind the Babuk Loker ransomware tried to sell their ransomware builder to a third party in a transaction that went bad, or if the builder was leaked by a rival or a white-hat security researcher, The Record wrote.

In April this year, the Babuk Loker ransomware gang breached servers of the Metropolitan Police Department, also known as the DC Police or MPD, encrypted files and demanded a $4 million ransom. At the time, the group claimed to have stolen more than 250 gigabytes of data from MPD, including data on informants and police personnel.

In May, the group rebranded their ransomware leak site into Payload.bin and started offering it to other gangs to use it as a platform for publishing data stolen from their victims.

Back to the list

Latest Posts

Cyber Security Week in Review: March 1, 2024

Cyber Security Week in Review: March 1, 2024

The world in brief: Russian cyberspies evolve to target cloud environments, North Korean hackers exploit Windows zero-day, and more.
1 March 2024
Ukrainian hacktivists share new details on production of Russian Orlan-10 drones

Ukrainian hacktivists share new details on production of Russian Orlan-10 drones

The data was obtained from hacked email correspondence from the Russian LLC “Special Technological Center.”
29 February 2024
North Korean Lazarus hackers abused recent Windows zero-day to obtain kernel-level access

North Korean Lazarus hackers abused recent Windows zero-day to obtain kernel-level access

Lazarus' shift to exploiting zero-day flaws represents a significant escalation from their previous methods.
29 February 2024