After a few months of activity, Babuk ransomware operators posted on their data leak site on 29 April a short message with the title Hello World 2, in which they stated that they would stop the blackmail operation, after achieving their goal. Other ransomware gangs have chosen to release decryption keys or even return ransom paid by their victims before they quit their businesses - something the Babuk gang does not intend to do.
However, the gang wanted to leave some "legacy". Thus, the source code for Babuk file-encrypting malware will be available to the public as soon as the business is terminated.
It is worth noting that the message posted by the gang was modified and was visible for a while only on the main page of its site. In a version recorded by Dmitry Smilyanets Recorded Future, the hackers reported that the PD was their last target, a clear reference to their last victim, the Washington, DC Metropolitan Police Department (DCD). As shown in the screenshot below, "PD" was also in the title.
Another version of the message, recorded by BleepingComputer, did not mention the PD at all, which may indicate that the gang is preparing to end its activities in the near future, after violating a different victim. The hackers stated that stole 250 GB of data before encrypting the MPD computers, while posting screenshots of files stolen during the attack to substantiate their claims.
Babuk ransomware appeared in the threat landscape earlier this year. From the beginning of his activity he targeted victims all over the world and demanded ransom from $ 60.000 to $ 85.000 into a Bitcoin.
According to BleepingComputer, each executable from this ransomware strain was adapted to the victim with a hardcoded extension, while hackers left a ransom note and a Tor URL, where the victims communicated with the ransom gang to negotiate ransom.
Babuk ransomware operators initially said they would not target different types of organizations in healthcare, nonprofits, education and small and medium-sized enterprises, with a few exceptions. In a later post on their data leak site, the hackers reported that their attacks had begun. at least from mid-October 2020, while removing the aforementioned exceptions.
The number of organizations that fell victim is not clear of the Babuk ransomware business. However, on the data leak site of the gang they referred to April 29 over twelve companies that did not pay the required ransom.
Other victims may be available on hidden pages, such as the Metropolitan Police Department, which is no longer listed on the main page but still exists on the data leak site.
It is worth noting that some ransomware gangs had previously announced that they would stop their businesses, but returned under a different name. Members of a discontinued ransomware gang may also be incorporated into a new business - for example, Maze ceased operations and its members were incorporated into the Egregor ransomware business.
Source of information: bleepingcomputer.com