Babuk ransomware builder leaked following muddled "retirement"

Babuk ransomware builder leaked following muddled “retirement”

In the last days of April 2021, the operators of Babuk ransomware announced they were going to focus on demanding a ransom for information stolen from compromised networks, leaving the encryption part of their operation behind. It meant that they no longer needed ransomware at all.

“Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement”

And now, in one of the last days of June, a researcher has discovered the Babuk builder used to create the ransomware’s unique payloads and decryption modules.


There are some doubts on how the Babuk operators planned to proceed after they contradicted their own announcement by also announcing they planned to switch to the Ransomware-as-a-Service (RaaS) model and so-called “double extortion”. Double extortion entails both encrypting a victim’s data and threatening to leak it. A threat actor operating the RaaS model provides the infrastructure, including the ransomware, for other threat actors to use.

This business model makes it hard to fathom why RaaS customers would be interested in working with Babuk operators, if they abandoned the encryption part of the model. Extortion by threatening to release stolen data does not require the same specialized knowledge or infrastructure as encrypting data.

History of Babuk

The Babuk operators surfaced at the end of 2020 and managed to make a name for themselves by attacking Washington DC’s Metropolitan Police Department (MPD), after which they released the personal data of several MPD officers. Shortly after that, they announced they would terminate their operation.

“The babuk project will be closed, its source code will be made publicly available, we will do something like Open Source RaaS, everyone can make their own product based on our product.”

At the time, many suspected they were making this move to dodge the heat that was turned up as a result of their attack on the MPD.

It needs to be said that the Babuk operators were always a bit fickle in their communications. One moment they would announce something, only to delete it shortly after and issue a new statement. As our esteemed colleague Adam Kujawa, director of Malwarebytes Labs said when Maze announced its retirement:  

“Ransom actors are professional liars and scammers; to believe anything they say is a mistake.”

How did the builder end up on VirusTotal?

That is the puzzling question here. VirusTotal (VT) is often used as a quick way for interested parties to check whether a file is malicious or not. But it has been a while since malware authors were dunce enough to upload their work to VT to check whether it would be detected by the anti-malware industry or not. The vendors that cooperate on VT have access to any files uploaded there. So, if their freshly created malware was not detected immediately, it would be soon after. Since those days, malware authors have their own services to run these checks without sharing their work with the anti-malware vendors.

By uploading the builder to VirusTotal they were basically making the source code available. There are a few possible scenarios on why someone would upload the Babuk builder:

  1. Someone received or found the file and did not trust it, so they checked it for malware on VT. It is very unlikely that someone would get this file without knowing what it is. And if a cybercriminal wanted to check who detects this, they would use a service that does not share it with anti-malware vendors. But accidents happen and we have all heard the stories of important documents getting uploaded to VT to check whether they were clean.
  2. Someone wanted to destroy the Babuk operation by throwing their builder under the (VT) bus. This only seems likely if one of the competitors or associates wanted to ensure that the Babuk operators would really stop the encryption part of its business, or at least wanted to slow it down for some time.
  3. The Babuk operators chose this as an odd way to make the source code available. This seems very unlikely as they would certainly have made this known through their usual channels, if this was the plan.

Maybe we have missed the scenario that describes what really happened. As always our comments are open for your ideas.

Another fact that may be of consequence, somehow, is that researchers found several defects in Babuk’s encryption and decryption code. These flaws show up when an attack involves ESXi servers and they are severe enough to result in a total loss of data for the victim.


It will take a thorough analysis of the Babuk builder before we know whether it contains enough information to create software that can decrypt files encrypted by Babuk ransomware. That would be nice for the victims that did not pay the ransom. We will keep you posted.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.