29 June 2021

Builder for Babuk Loker ransomware leaks online


Builder for Babuk Loker ransomware leaks online

Less than two weeks after the source code for the Paradise ransomware was released on the Russian-speaking hacker forum XSS, security researchers noticed that a builder for the infamous Babuk Loker ransomware leaked online prompting concern that cybercriminals could use it to develop their own ransomware strains.

The news was first reported by the news website The Record that obtained and tested a copy of the Babuk Locker “builder”. The builder allows to create custom versions of the Babuk Locker ransomware that can be used to encrypt files hosted on Windows systems, ARM-based network storage attached (NAS) devices, and VMWare ESXi servers. It also generates a decryptor for recovering encrypted files for every Babuk encrypter generated through the app.

The builder was uploaded on the VirusTotal malware scanning service and was discovered by British cybersecurity researcher Kevin Beaumont.

At the moment, it’s unclear if the cybercriminals behind the Babuk Loker ransomware tried to sell their ransomware builder to a third party in a transaction that went bad, or if the builder was leaked by a rival or a white-hat security researcher, The Record wrote.

In April this year, the Babuk Loker ransomware gang breached servers of the Metropolitan Police Department, also known as the DC Police or MPD, encrypted files and demanded a $4 million ransom. At the time, the group claimed to have stolen more than 250 gigabytes of data from MPD, including data on informants and police personnel.

In May, the group rebranded their ransomware leak site into Payload.bin and started offering it to other gangs to use it as a platform for publishing data stolen from their victims.

Back to the list

Latest Posts

Cyber security week in review: January 27, 2023

Cyber security week in review: January 27, 2023

The world in brief: the FBI dismantles the Hive ransomware operation, the League of Legend source code stolen in a hacker attack, and more.
27 January 2023
Hackers increasingly abusing RMM software for nefarious purposes

Hackers increasingly abusing RMM software for nefarious purposes

Hackers can use legitimate RMM software as a backdoor for persistence and/or command and control.
26 January 2023
GoTo says hackers stole encrypted backups, an encryption key

GoTo says hackers stole encrypted backups, an encryption key

The company said it found no evidence that other GoTo products or any of its production systems were affected.
25 January 2023