Babuk Ransomware Gang Leaks DC Police Info, says they are Retiring


The Russia-based Babuk ransomware gang says it will not launch any more hack attacks. But they will be making their malicious malware source code available for the use of future attackers.

The gang issued a statement on their darknet website: “The babuk project will be closed, its source code will be made publicly available, we will do something like Open Source RaaS, everyone can make their own product based on our product.”

Signup for the USA Herald exclusive Newsletter

Babuk is a new player. They were first implicated in the December 2020 ransomware attack of the Houston Rockets basketball team.

Last week the DarkSide ransomware gang apologized for attacking the Columbia Pipeline in the U.S. The Maze, Ziggy, and Fonix ransomware attack teams all claim they are abandoning their hacking activities. But these groups also made their ransomware’s decryptor keys available. So their victims can regain access to the stolen/encrypted data.

On the other hand, Babuk is still trying to collect a ransom.

Babar ransomware gang leaking D.C. police information

Babuk took credit for last month’s hacking into the Washington D.C. police department’s internal computer network. They threatened to leak details of confidential informants if they didn’t receive an unspecified ransom. And they initially gave the police only three days to pay up.

Several times, the gang has leaked portions of the stolen data. But it appears the ransom still has not been paid.

The D. C. Metropolitan Police Department has over 4,000 employees. It is one of the largest local police agencies in the United States.

The Metropolitan Police Department immediately called in the FBI. They confirm an attack but are not giving further details. 

Retirement or Reinvention?

Cybersecurity experts say that these cybercriminal gangs may only be claimed to shut down. But the bad actors often resurface in other gangs. Or the entire enterprise may reappear under a new name. They are criminals and it is anticipated that they will continue to commit crimes.

The director of Malwarebytes Labs Adam Kujawa said “Ransom actors are professional liars and scammers; to believe anything they say is a mistake,” when he heard that Maze was announcing its retirement.

Brett Callow, a threat analyst with Emsisoft, says Babuk likely decided to end its ransomware operation, because of the widespread media coverage of its D.C. police attack. And they were also under the microscope for problems with its malicious code.

Babuk code flaws go public

“I suspect that Babuk simply got cold feet as a result of the attention the MPD incident generated. This is not a sophisticated group, and they may simply have decided to quit while ahead,” Callow says. “Unfortunately, it seems that they plan to continue operations on a RaaS [ransomware-as-a-service] basis.”

“Given that their code sucks to the point of causing even victims who pay to lose data, smarter cyber criminals will likely find other affiliate opportunities to be far more attractive,” Callow says.

The Babuk coding flaws were first publicly called out by Chuong Dong, a very bright computer science major at Georgia Tech. He has been jibing the Babuk ransomware gang on twitter.

He tweets “I guess that my favorite ransomware group is in their end game now. Did not expect the #Babuk team to stop here, but I’m glad they do.”

Dong also put out a report on last weeks’ DarkSide Ransomware malware. DarkSide recently apologized for the Colonial Pipeline hack which is causing the U.S. issues with rising gas prices and infrastructure security.

Emsisoft also pointed out defects in Babuk’s encryption and decryption code. If the attack targets ESXi servers it can lead to a total loss of data for the victim. That’s why Callow says the group’s RaaS offering will likely be unpopular with other attackers.

After both Dong and the security firm, Emisoft pointed out the Babuk code problems, the hacker gang launched a media campaign. They claim they have corrected the flaw in their decryptor. And they are urging their victims to pay a ransom so they can send them the “fixed” decryption code.

The Babuk ransomware gang doesn’t seem to be having much success. They say they are retiring, but they still don’t appear to be giving up on getting a ransom.