Babuk Inactive

Source code leaked, spawning numerous variants. Known for targeting VMware ESXi. Attacked Washington DC Metropolitan Police.

PDF Report Back to Groups

Total Victims

2021-01-01

First Seen

2021-08-22

Last Seen

Known TTPs

5.5d

Avg Delay

Negotiations

ONION URLS

nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion

TOOLS

Chisel Mimikatz ConnectWise

FILE EXTENSIONS

.666

ACTIVITY TIMELINE

TOP SECTORS

TOP COUNTRIES

ACTIVITY HEATMAP

Date	Victim Name	Country	Sector	Status
2021-08-22	EuroWeb	United Kingdom	Logistics	Published
2021-08-11	Capital Comm Inc.	Brazil	Healthcare	Removed
2021-08-07	Universal Motors Inc.	United States	Manufacturing	Published
2021-08-02	Highland Power Ltd	South Africa	Education	Removed
2021-07-27	Patriot & Northwest Logistics	United States	Utilities	Published
2021-07-25	LakeStar	Lithuania	Retail	Published
2021-07-24	Quest Dynamics LLC	Lithuania	Financial Services	Published
2021-07-20	Smart Defense Inc.	South Africa	Financial Services	Published
2021-07-12	Heritage Land	United States	Healthcare	Removed
2021-07-10	Horizon & Modern Pro	Slovenia	Government	Published
2021-07-01	Swift Security GmbH	United States	Food & Beverage	Removed
2021-06-26	Crown Dev LLC	United Kingdom	Manufacturing	Published
2021-06-25	Harbor Pharma LLC	Romania	Manufacturing	Published
2021-06-14	Global Clinic GmbH	United Arab Emirates	Manufacturing	Published
2021-06-12	United Star LLC	United States	Manufacturing	Published
2021-06-07	Oak Marine Ltd	United States	Food & Beverage	Published
2021-05-20	Allied Land	United States	Healthcare	Published
2021-05-09	VerdeGen	Philippines	Government	Published
2021-05-07	Capital Finance LLC	United States	Manufacturing	Published
2021-05-03	Tri Motors Ltd	Norway	Education	Removed
2021-04-23	Onyx Metals LLC	Israel	Logistics	Published
2021-04-17	Continental Storage GmbH	Belgium	Technology	Removed
2021-04-09	GrandMetals	Indonesia	Manufacturing	Published
2021-04-05	Onyx Wire Inc.	United States	Healthcare	Published
2021-04-05	Pro Security Inc.	Denmark	Transportation	Published
2021-04-02	Solid & Power Dynamics	Israel	Manufacturing	Published
2021-04-01	Lone Star & First Ship	United Kingdom	Media & Entertainment	Published
2021-03-22	Alpha Partners	United Kingdom	Technology	Published
2021-03-14	Steel Management GmbH	United States	Manufacturing	Published
2021-03-10	Union Aero Inc.	United States	Logistics	Published
2021-03-03	FirstManufacturing	United States	Food & Beverage	Published
2021-03-02	Swift Dynamics Inc.	United States	Professional Services	Published
2021-02-27	Wind Health Inc.	Ireland	Government	Published
2021-02-25	Elite Chem LLC	United States	Telecommunications	Published
2021-02-23	Legacy & Heritage Medical	Slovakia	Financial Services	Published
2021-02-21	Alpha Associates	Canada	Telecommunications	Published
2021-02-20	Southern Info GmbH	United States	Technology	Published
2021-02-12	Pacific Print LLC	France	Manufacturing	Published
2021-02-05	Imperial Intel GmbH	Germany	Real Estate	Published
2021-02-04	Excel Trade Inc.	New Zealand	Retail	Published
2021-02-04	Core Systems LLC	Bulgaria	Transportation	Published
2021-02-03	Oak Oil GmbH	Mexico	Retail	Published
2021-01-21	Southern & Vital Space	United States	Pharmaceuticals	Published
2021-01-20	Power Chem GmbH	United Arab Emirates	Manufacturing	Removed
2021-01-15	Progressive Logistics GmbH	Malaysia	Energy	Published
2021-01-14	Strategic Point Ltd	Croatia	Technology	Removed
2021-01-14	Continental Homes LLC	France	Legal	Published
2021-01-12	Advanced Industries	United States	Construction	Negotiating
2021-01-08	Spring Enterprises GmbH	Ecuador	Healthcare	Published

Technique ID	Technique Name	Tactic
T1027.002	Software Packing	defense-evasion
T1140	Deobfuscate/Decode Files or Information	defense-evasion
T1562.001	Disable or Modify Tools	defense-evasion
T1007	System Service Discovery	discovery
T1049	System Network Connections Discovery	discovery
T1057	Process Discovery	discovery
T1083	File and Directory Discovery	discovery
T1135	Network Share Discovery	discovery
T1680	Local Storage Discovery	discovery
T1059.003	Windows Command Shell	execution
T1106	Native API	execution
T1486	Data Encrypted for Impact	impact
T1489	Service Stop	impact
T1490	Inhibit System Recovery	impact

Babuk_rule_1 Florian Roth

rule Babuk_ransomware_1 {
    meta:
        description = "Detects Babuk ransomware"
        author = "RansomwareMonitor"
        date = "2026-03-06"
        hash = "b6ed7b81cfb5d0db97475b94e3620e9221545ccdb0242419b06644163c49effb"

    strings:
        $s0 = "Do not rename" nocase
        $r1 = /README\..{3,10}/i
        $r2 = /README\..{3,10}/i
        $r3 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/
        $r4 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        2 of them
}

Type	Value	Description
md5	e8c157fa44c6144780ff61b28a3bf068	Infrastructure linked to Babuk
tox	468B714C0517BB74B915FDE75E1A1DDC5841B9E9BBAC16C610AECE42D2F27AD5E91BEF9C904B	Associated with Babuk ransomware
md5	9a5b1bdc0bf49e8c79c9d1505c1cc151	Infrastructure linked to Babuk
md5	7608a49dbaa2985e93327869e1910e51	Malware sample hash - Babuk campaign
sha256	75b483c66c852cd9b4b7ea03362c9a112c366dcdefade5d9b67904cb8cdb94fa	Ransomware binary hash - Babuk campaign
btc	bc1q9hewbny0884l36cudnkbhbkxq8a9tiqo2wfd2j	Infrastructure linked to Babuk
email	decrypt50@airmail.cc	Contact email - Babuk campaign

No ransom notes