On June 23rd, the builder for Babuk ransomware was posted to Raid Forums by “biba99” with instructions on how to generate the ransomware. Since then, it has gotten attention after being uploaded to VirusTotal by security researcher Kevin Beaumont and has even been used in at least one documented attack. On top of this, there is currently speculation that Babuk may not have given up the encryption game after rebranding to “Payload.bin” recently. As spotted by @malwrhunterteam on Twitter, a new Tor site has popped up resembling the old Babuk leaks site teasing a version 2.0 and a comment was left on a Bleeping Computer article stating “Only the old version was published. The new version is still used for corporate networks.” It is not currently known whether or not this site was created by the original operators of the Babuk ransomware.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in