Industry News

Babuk ransomware gang says it’s no longer interested in encrypting data, would rather kidnap it instead

In the early days of ransomware things were fairly simple: malware would infect your company’s infrastructure, encrypting your valuable data with a secret key that was only known to your attackers.

If you had shown the foresight of making secure backups in advance, you could get back up and running again. But if you had no backups, your only chance of getting your data back was if you were prepared to pay a ransom to the gang hell bent on extorting a sometimes hefty cryptocurrency from you.

But in recent years there have been more and more ransomware attacks which have been combined with the exfiltration of data, prior to its encryption. If criminal hackers have a copy of your data you don’t have the “get-out-of-jail-free” card of a secure backup to play. Because your extortionists can also threaten to publish your data online regardless of whether you have successfully recovered your systems, potentially damaging your brand and relationships with customers and business partners.

In April, as reported by Bleeping Computer, the Babuk ransomware gang announced that it was stepping back from encrypting victims’ data.

Although normally such news would be welcomed, in this case the Babuk gang announced that they were not ceasing their criminal activities entirely – but instead were planning to concentrate on data-theft extortion instead.

In a post on its then active website on the dark web, the Babuk group announced its plans in rather broken English:

I not so long ago wrote about the closure of babuk, yes, you all correctly understood babuk as a partensky program will be closed, but it will live in its new understanding, we are a promoted brand with the best pentesters of dark net We are a young project and everyone already knows about us, during this time we have gone gone ahead of other groups, we respect other groups but not all, for example, we express our loyalty to DopplePaymer, Ragnar. Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement. Also for other groups that do not have their own blog or have but they want to exert additional pressure, you can not be placed with us.

A later post by Babuk explained that it was moving forward with its plans to create “something really cool”:

Hello! We announce the development of something really cool, a huge platform for independent leaks, we have no rules and bosses, we will publish private products in a single information platform where we will post leaks of successful no-name teams that do not have their own blogs and names, these are not girls who run with ship like rats and change the policy of their resources. these are really strong guys.

Sadly it appears that Babuk have kept their word, and how now launched a new dark web website called “Payload Bin” – seemingly designed to share information from companies who have had their data hacked but have refused to pay up a ransom.

To launch their new website, the source code from a hacked video game manufacturer was put up for auction on the Payload Bin website.

One potential reason why this particular ransomware gang may prefer to steal copies of data from their victims is that they are worried about the massive disruption which can occur if systems are locked up through encryption – and whether that could lead to a bigger punishment if the culprits are ever identified.

Furthermore, things may get complicated for ransomware-as-a-service (RAAS) operations where there may be more than one criminal gang thinking of targeting the same organisation. If companies believe it’s pointless paying a ransom because they will just get hit again one week later, that doesn’t bode well for earnings of the criminal side of the ransomware industry in the long run.

Whatever the reasoning, it’s not necessarily the case that data-theft extortion will automatically yield larger rewards for cybercriminals, especially when you consider how awkward and time-consuming it might be to steal a vast amount of data from a hacked organisation.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.