Skip to content
Ransomware group EsxiLinuxWindows

Babuk

Babuk is a ransomware family that became especially influential after its 2021 source-code leak, which enabled widespread reuse by other criminal operators and ransomware-as-a-service affiliates.

Profile source: Mallory opens in a new tab

Babuk

Family profile

Babuk is a ransomware family that became especially influential after its 2021 source-code leak, which enabled widespread reuse by other criminal operators and ransomware-as-a-service affiliates. It has been used directly in attacks and has also served as the code base for numerous derivative strains targeting enterprise environments. Babuk is associated with file encryption for impact and has been observed in Windows, Linux, ESXi, NAS, and other Linux-based storage contexts through both original and descendant implementations. The family is notable for accelerating the proliferation of cross-platform ransomware, particularly ESXi-focused lockers, by lowering the technical barrier for actors seeking to build or adapt Linux and hypervisor encryptors.

Documented Babuk behavior includes deleting shadow copies to inhibit recovery and stopping antivirus services on compromised Windows hosts. Babuk has also been linked to DLL sideloading, including abuse of a legitimate Windows debugger to deliver ransomware. Reporting further ties Babuk to attacks against virtualized infrastructure and NAS devices, and multiple later ransomware families and campaigns have been described as Babuk-derived or built from leaked Babuk code. Public reporting and law-enforcement actions have also connected Babuk deployments to financially motivated ransomware actors and affiliates, including operators involved in broader ransomware ecosystems.

Because the leaked code has been extensively repurposed, Babuk attribution now requires caution: many modern samples identified as Babuk are better understood as derivatives rather than activity by the original operators. Even so, Babuk remains a significant ransomware lineage due to its direct operational use, its role in double-extortion ecosystems through descendants, and its enduring impact on ransomware development across Windows and Linux virtualization targets.

Capabilities

  • Defense Evasion
  • Dll Sideloading
  • Extortion

Ransomware.live

Operational record

View group record ↗

Exfiltration

  • File[.]io

Reported operators

Threat actors

21 named in public reporting
DARKSTAR

...для шифрования файлов — LockBit 3 (Black) и Babuk...

Shadow

...для шифрования файлов — LockBit 3 (Black) и Babuk...

COMET

...для шифрования файлов — LockBit 3 (Black) и Babuk...

Storm-2603

Talos IR responded to Warlock, Babuk and Kraken ransomware variants for the first time... Notably, we also observed evidence of Babuk ransomware files on the customer’s network in this engagement, which has not been previously deployed by Storm-2603 according to public reporting, though it failed to encrypt and only renamed files.

Head Mare

As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices).

Crypt Ghouls

As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.

MorLock

As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.

RansomHouse

SentinelLABS observed an increase in VMware ESXi ransomware based on Babuk ( aka Babak, Babyk). The Babuk leaks in September 2021 provided unprecedented insight into the development operations of an organized ransomware group.

Conti

Authorities say Matveev played a major role in the development and deployment of the Hive, LockBit and Babuk ransomware variants...

Boriselcin

On Dec. 31, 2020, they announced the creation of the Babuk ransomware affiliate program... On January 1, 2021, a new user “Babuk” registered on the crime forum Verified... “We run an affiliate program,” Babuk explained in their introductory post on Verified.

Wazawaka

On Dec. 31, 2020, they announced the creation of the Babuk ransomware affiliate program... On January 1, 2021, a new user “Babuk” registered on the crime forum Verified... “We run an affiliate program,” Babuk explained in their introductory post on Verified.

Orange

On Dec. 31, 2020, they announced the creation of the Babuk ransomware affiliate program... On January 1, 2021, a new user “Babuk” registered on the crime forum Verified... “We run an affiliate program,” Babuk explained in their introductory post on Verified.

Bearlyfy

The hacking group was first documented by F6 in September 2025 as leveraging encryptors associated with LockBit 3 (Black) and Babuk.

Warlock

Warlock has employed multiple different encryptors over time, ranging from custom ones to variants based on Babyk...

Storm-1175

"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."

Storm-0506

"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."

Scattered Spider

"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."

Bl00Dy

...used open-source and leaked builders from other operators, including LockBit, Babuk and Conti.

Indrik Spider

"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."

Cinnamon Tempest

...deploying multiple strains of ransomware based on the leaked Babuk source code.

Exploited software

Vulnerabilities linked to Babuk

3 CVEs

MITRE ATT&CK

Babuk in ATT&CK

29 distinct techniques

Reporting

Research mentioning Babuk

Jul 13
Malware News

Dark Web Profile: Krybit Ransomware - Malware News - Malware Analysis, News and Indicators

Captured samples are flagged by antivirus engines as Babuk derivatives... consistent with the large population of RaaS strains built on Babuk’s leaked 2021 source code rather than custom-engineered ransomware.

Jul 13
Socradar

Dark Web Profile: Krybit Ransomware

Captured samples are flagged by antivirus engines as Babuk derivatives... consistent with the large population of RaaS strains built on Babuk’s leaked 2021 source code rather than custom-engineered ransomware.

Jul 5
Online Threat Alerts

se7en Scam Ransomware and Malware - How to Remove it

Se7en is a dangerous ransomware variant belonging to the Babuk family.

Jun 6
Codeby

Анализ ransomware The Gentlemen: реверс Go-бинарника Storm-2697

Из переписки видно, что разработчики The Gentlemen систематически реверсят семплы Babuk, Qilin, LockBit 5.0 и Medusa, вытаскивая шифровальные рутины, техники обфускации и методы обхода EDR.

Jun 5
Osint Team

The Gentlemen Ransomware: Threat Profile | by privacyinsightsolutions.com | May, 2026 | OSINT Team

The encryptor and locker binaries were partially reverse-engineered from source code and samples of Babuk, Qilin, LockBit 5.0, and Medusa before the custom Go implementation was developed.

Jun 2
Ahnlab Asec

새벽에 온 암호화 손님 Endpoint(Midnight) 랜섬웨어 분석 - ASEC

Babuk 소스코드 유출 이후 여러 파생 랜섬웨어가 등장했으며, EndPoint도 그중 하나로 확인된다.

May 28
Encyclopedia Kaspersky

What is DLL sideloading? | Kaspersky IT Encyclopedia

The Babuk group abused the NTSD.exe debugger for DLL sideloading. As in the previous case, the attackers used it to download ransomware onto the target device.

May 21
Securelist

Analyzing the familiar tools used by the Crypt Ghouls hacktivists | Securelist

As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.