A recently leaked builder used by the Babuk Locker ransomware gang has been utilized by a new bad actor in a ransomware campaign targeting users worldwide.
The builder was uploaded on the VirusTotal malware scanning service and was discovered by British cybersecurity researcher Kevin Beaumont. The builder allows to create custom versions of the Babuk Locker ransomware that can be used to encrypt files hosted on Windows systems, ARM-based network storage attached (NAS) devices, and VMWare ESXi servers. It also generates a decryptor for recovering encrypted files for every Babuk encrypter generated through the app.
On June 29, a Reddit user reported that they have been hit with “.babyk, babuck locker ransomware” that encrypted important files. Security researcher MalwareHunterTeam also said that ID Ransomware, a service that allows a victim to identify what ransomware encrypted their files, received a sharp spike in Babuk Locker submissions starting on June 29th.
Like the original operation, the new ransomware adds the .babyk extension to encrypted file names and drops a ransom note named How To Restore Your Files.txt, according to BleepingComputer. Unlike the Babuk Locker ransomware gang, that demanded a pretty serious amount of money, this new threat actor is asking for.006 bitcoins from victims. Also, the new attacks are using email to communicate with victims instead of a dedicated Tor payment site.
For now, it is unclear, how the new ransomware is distributed.