Skip to content
Ransomware group

BabyDuck

BabyDuck is ransomware based on leaked Babuk source code.

Profile source: PCrisk opens in a new tab

BabyDuck

Family profile

BabyDuck is ransomware based on leaked Babuk source code. It appends the .babyduck extension to encrypted files while remaining a separately named family.

Ransomware.live

Operational record

View group record ↗

Reporting

Research mentioning BabyDuck

Jul 13
Malware News

Dark Web Profile: Krybit Ransomware - Malware News - Malware Analysis, News and Indicators

Captured samples are flagged by antivirus engines as Babuk derivatives... consistent with the large population of RaaS strains built on Babuk’s leaked 2021 source code rather than custom-engineered ransomware.

Jul 13
Socradar

Dark Web Profile: Krybit Ransomware

Captured samples are flagged by antivirus engines as Babuk derivatives... consistent with the large population of RaaS strains built on Babuk’s leaked 2021 source code rather than custom-engineered ransomware.

Jul 5
Online Threat Alerts

se7en Scam Ransomware and Malware - How to Remove it

Se7en is a dangerous ransomware variant belonging to the Babuk family.

Jun 6
Codeby

Анализ ransomware The Gentlemen: реверс Go-бинарника Storm-2697

Из переписки видно, что разработчики The Gentlemen систематически реверсят семплы Babuk, Qilin, LockBit 5.0 и Medusa, вытаскивая шифровальные рутины, техники обфускации и методы обхода EDR.

Jun 5
Osint Team

The Gentlemen Ransomware: Threat Profile | by privacyinsightsolutions.com | May, 2026 | OSINT Team

The encryptor and locker binaries were partially reverse-engineered from source code and samples of Babuk, Qilin, LockBit 5.0, and Medusa before the custom Go implementation was developed.

Jun 2
Ahnlab Asec

새벽에 온 암호화 손님 Endpoint(Midnight) 랜섬웨어 분석 - ASEC

Babuk 소스코드 유출 이후 여러 파생 랜섬웨어가 등장했으며, EndPoint도 그중 하나로 확인된다.

May 28
Encyclopedia Kaspersky

What is DLL sideloading? | Kaspersky IT Encyclopedia

The Babuk group abused the NTSD.exe debugger for DLL sideloading. As in the previous case, the attackers used it to download ransomware onto the target device.

May 21
Securelist

Analyzing the familiar tools used by the Crypt Ghouls hacktivists | Securelist

As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.