A menace actor has leaked the entire supply code for the Babuk ransomware on a Russian-speaking hacking discussion board.
Babuk Locker, additionally identified internally as Babyk, is a ransomware operation launched at the beginning of 2021 when it started focusing on companies to steal and encrypt their knowledge in double-extortion assaults.
After attacking the Washinton DC’s Metropolitan Police Department (MPD) and feeling the warmth from U.S. regulation enforcement, the ransomware gang claimed to have shut down their operation.
Nonetheless, members of the identical group splintered off to relaunch the ransomware as Babuk V2, the place they proceed to encrypt victims to this present day.
Supply code launched on a hacking discussion board
As first observed by safety researcher vx-underground, an alleged member of the Babuk group launched the total supply code for his or her ransomware on a preferred Russian-speaking hacking discussion board.
This member claimed to be affected by terminal most cancers and determined to launch the supply code whereas they should “stay like a human.”
Because the leak accommodates all the things a menace actor must create a purposeful ransomware executable, BleepingComputer has redacted the hyperlinks to the supply code.
The shared file accommodates completely different Visible Studio Babuk ransomware initiatives for VMware ESXi, NAS, and Home windows encryptors, as proven beneath.
The Home windows folder accommodates the entire supply code for the Home windows encryptor, decryptor, and what seems to be a personal and public key generator.
For instance, the supply code for the encryption routine within the Home windows encryptor may be seen beneath.
Emsisoft CTO and ransomware professional Fabian Wosar advised BleepingComputer that the leak seems authentic and may additionally include some decryption keys for previous victims.
Babuk ransomware makes use of elliptic-curve cryptography (ECC) as a part of its encryption routine. Included within the leak are folders containing encryptors and decryptors compiled for particular victims of the ransomware gang.
Wosar advised BleepingComputer that these folders additionally include curve information that might be the ECC decryption keys for these victims, however this has not been confirmed but.
In whole, there are 15 folders with curve information containing doable decryption keys.
Of tales of betrayal and backstabbing
Babuk Locker has a sordid and public historical past involving betrayal and backstabbing that led to the group splintering.
BleepingComputer has realized from one of many Babuk ransomware gang members that the group splintered after the attack on the Washinton DC’s Metropolitan Police Department (MPD).
After the assault, the ‘Admin’ allegedly wished to leak the MPD knowledge for publicity, whereas the opposite gang members have been towards it.
“We’re not good guys, however even for us it was an excessive amount of. )” – Babuk menace actor
After the information leak, the group splintered with the unique Admin forming the Ramp cybercrime discussion board and the remaining launching Babuk V2, the place they proceed to carry out ransomware assaults.
Quickly after the Admin launched the Ramp cybercrime discussion board, it suffered a sequence of DDoS assaults to make the brand new website unusable. The Admin blamed his former companions for these assaults, whereas the Babuk V2 staff advised BleepingComputer that they weren’t accountable.
“We fully forgot concerning the previous Admin. We’re not all in favour of his discussion board,” the menace actors advised BleepingComputer.
So as to add to the group’s controversy, a Babuk ransomware builder was leaked on a file-sharing website and was utilized by one other group to launch their very own ransomware operation.
It seems that Babuk shouldn’t be alone with tales of backstabbing and betrayals.
After Wosar setup up a Jabber account for menace actors to contact him, he tweeted that he has obtained intel from menace actors who really feel “wronged” by their companions and determined to leak data in revenge.
Wosar has advised BleepingComputer that he has been in a position to make use of this intelligence to stop ongoing ransomware assaults.