Exfiltration
- File[.]io
Babuk is a ransomware family that became especially influential after its 2021 source-code leak, which enabled widespread reuse by other criminal operators and ransomware-as-a-service affiliates.
Profile source: Mallory opens in a new tabBabuk
Babuk is a ransomware family that became especially influential after its 2021 source-code leak, which enabled widespread reuse by other criminal operators and ransomware-as-a-service affiliates. It has been used directly in attacks and has also served as the code base for numerous derivative strains targeting enterprise environments. Babuk is associated with file encryption for impact and has been observed in Windows, Linux, ESXi, NAS, and other Linux-based storage contexts through both original and descendant implementations. The family is notable for accelerating the proliferation of cross-platform ransomware, particularly ESXi-focused lockers, by lowering the technical barrier for actors seeking to build or adapt Linux and hypervisor encryptors.
Documented Babuk behavior includes deleting shadow copies to inhibit recovery and stopping antivirus services on compromised Windows hosts. Babuk has also been linked to DLL sideloading, including abuse of a legitimate Windows debugger to deliver ransomware. Reporting further ties Babuk to attacks against virtualized infrastructure and NAS devices, and multiple later ransomware families and campaigns have been described as Babuk-derived or built from leaked Babuk code. Public reporting and law-enforcement actions have also connected Babuk deployments to financially motivated ransomware actors and affiliates, including operators involved in broader ransomware ecosystems.
Because the leaked code has been extensively repurposed, Babuk attribution now requires caution: many modern samples identified as Babuk are better understood as derivatives rather than activity by the original operators. Even so, Babuk remains a significant ransomware lineage due to its direct operational use, its role in double-extortion ecosystems through descendants, and its enduring impact on ransomware development across Windows and Linux virtualization targets.
Ransomware.live
Reported operators
...для шифрования файлов — LockBit 3 (Black) и Babuk...
...для шифрования файлов — LockBit 3 (Black) и Babuk...
...для шифрования файлов — LockBit 3 (Black) и Babuk...
Talos IR responded to Warlock, Babuk and Kraken ransomware variants for the first time... Notably, we also observed evidence of Babuk ransomware files on the customer’s network in this engagement, which has not been previously deployed by Storm-2603 according to public reporting, though it failed to encrypt and only renamed files.
As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices).
As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.
As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.
SentinelLABS observed an increase in VMware ESXi ransomware based on Babuk ( aka Babak, Babyk). The Babuk leaks in September 2021 provided unprecedented insight into the development operations of an organized ransomware group.
Authorities say Matveev played a major role in the development and deployment of the Hive, LockBit and Babuk ransomware variants...
On Dec. 31, 2020, they announced the creation of the Babuk ransomware affiliate program... On January 1, 2021, a new user “Babuk” registered on the crime forum Verified... “We run an affiliate program,” Babuk explained in their introductory post on Verified.
On Dec. 31, 2020, they announced the creation of the Babuk ransomware affiliate program... On January 1, 2021, a new user “Babuk” registered on the crime forum Verified... “We run an affiliate program,” Babuk explained in their introductory post on Verified.
On Dec. 31, 2020, they announced the creation of the Babuk ransomware affiliate program... On January 1, 2021, a new user “Babuk” registered on the crime forum Verified... “We run an affiliate program,” Babuk explained in their introductory post on Verified.
The hacking group was first documented by F6 in September 2025 as leveraging encryptors associated with LockBit 3 (Black) and Babuk.
Warlock has employed multiple different encryptors over time, ranging from custom ones to variants based on Babyk...
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
...used open-source and leaked builders from other operators, including LockBit, Babuk and Conti.
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
Lockers such as Babuk and LockBit.
...deploying multiple strains of ransomware based on the leaked Babuk source code.
Exploited software
MITRE ATT&CK
Reporting
Captured samples are flagged by antivirus engines as Babuk derivatives... consistent with the large population of RaaS strains built on Babuk’s leaked 2021 source code rather than custom-engineered ransomware.
Captured samples are flagged by antivirus engines as Babuk derivatives... consistent with the large population of RaaS strains built on Babuk’s leaked 2021 source code rather than custom-engineered ransomware.
Se7en is a dangerous ransomware variant belonging to the Babuk family.
Из переписки видно, что разработчики The Gentlemen систематически реверсят семплы Babuk, Qilin, LockBit 5.0 и Medusa, вытаскивая шифровальные рутины, техники обфускации и методы обхода EDR.
The encryptor and locker binaries were partially reverse-engineered from source code and samples of Babuk, Qilin, LockBit 5.0, and Medusa before the custom Go implementation was developed.
Babuk 소스코드 유출 이후 여러 파생 랜섬웨어가 등장했으며, EndPoint도 그중 하나로 확인된다.
The Babuk group abused the NTSD.exe debugger for DLL sideloading. As in the previous case, the attackers used it to download ransomware onto the target device.
As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.