Babuk Locker ransomware design template leaked online

Unknown actors posted online an archive containing a Babuk Locker ransomware design template. Security researcher Kevin Beaumont drew attention to it.

Ransomware leak time — Babuk’s builder. Used for making Babuk payloads and decryption.

builder.exe foldername, e.g. builder.exe victim will spit out payloads for:

Windows, VMware ESXi, network attached storage x86 and ARM.

note.txt must contain ransom.https://t.co/K3J3zr1XBv pic.twitter.com/1bl7oc0TvO

— Kevin Beaumont (@GossiTheDog) June 27, 2021

According to him, the builder enables creating a custom variant of the malware to encrypt files on Windows systems, in network-attached storage (NAS) and on VMware ESXi servers.

Data: The Record.

Data: The Record.

At the time of writing it is unclear who published the archive publicly. The leak could have resulted from an unsuccessful transaction when the Babuk Locker developers tried to sell the builder to a third party, or it could have been posted deliberately by competitors or white-hat hackers.

As reported earlier, the Babuk Locker group began operations in January 2021 and has already affected several major companies, including the Houston Rockets basketball club and the Spanish electronics retailer Phone House.

In March, they stole more than 700 GB of data from the American military contractor PDI Group.

In April, the ransomware operators attacked the department of the U.S. capital police, stealing 250 GB of data. They demanded a ransom, threatening to reveal informants in law enforcement.

In May, hackers published online 22 files containing personal data of officers of the police department. According to media reports, this happened after negotiations over the ransom amount allegedly reached an impasse.

Later the extortionists announced they were ceasing operations. They renamed their site to Payload.bin, which began functioning as a host for publishing data of victims of other ransomware operators.

Subscribe to ForkLog news on Telegram: ForkLog Feed — the full news stream, ForkLog — the most important news, infographics and opinions.