Babuk Locker ransomware builder leaked into the network

Babuk Locker builder

The Babuk Locker ransomware builder has appeared in the public domain. With its help anyone can design its own ransomware, the well-known information security expert Kevin Beaumont said on Twitter.

The malware is already uploaded to VirusTotal.

Ransomware leak time – Babuk’s builder. Used for making Babuk payloads and decryption. builder.exe foldername, e.g. builder.exe victim will spit out payloads for: Windows, VMware ESXi, network attached storage x86 and ARM. note.txt must contain ransom. It generates the decrypters for each platform too, including VMware ESXi etc.Kevin Beaumont wrote in his Twitter.

The Record, which has already studied this leak, reports that the Babuk Locker builder can be used to create custom versions of the ransomware and be used to encrypt files on Windows systems, ARM-based NAS, VMWare ESXi servers.

Babuk Locker builder

The constructor also creates its own decryptor for each ransomware that can be used to recover the encrypted files of each victim.

Babuk Locker builder

The leak came two months after Babuk Locker operators announced cessation of their activity, following a high-profile attack on the Washington police department.

It is believed that the hackers renamed their “leak site” to Payload.bin, and now the group provides it to other criminals as a third-party hosting, where you can lease someone’s files without starting your own site for this purpose.

It is not yet clear whether the authors of Babuk Locker tried to sell their builder to a third party (and he got into the network as a result of an unsuccessful deal), or someone from the group’s competitors or cybersecurity experts arranged the leak.

The Babuk constructor was also leaked two weeks after the source code of the Paradise ransomware constructor was also posted on a public hacker forum.

While the two incidents are believed to be unrelated, both are of concern to cybersecurity experts who believe that cybercriminal gangs will now use the two tools for future and potentially devastating attacks.

Hopefully this [leak] can be used to conduct discovery and decryption research.Beaumont writes.

Let me remind you that I also wrote that Clop ransomware continues to work even after a series of arrests.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *