On June 23rd, the builder for Babuk ransomware was posted to Raid Forums by “biba99” with instructions on how to generate the ransomware. Since then, it has gotten attention after being uploaded to VirusTotal by security researcher Kevin Beaumont and has even been used in at least one documented attack. On top of this, there is currently speculation that Babuk may not have given up the encryption game after rebranding to “Payload.bin” recently. As spotted by @malwrhunterteam on Twitter, a new Tor site has popped up resembling the old Babuk leaks site teasing a version 2.0 and a comment was left on a Bleeping Computer article stating “Only the old version was published. The new version is still used for corporate networks.” It is not currently known whether or not this site was created by the original operators of the Babuk ransomware.
Source: @malwrhunterteam
Analyst Notes
While some articles are stating that Babuk is indeed back, Binary Defense cannot confirm this. What we can say for certain is that the builder is actively being used to generate Babuk payloads for Windows, NAS and ESXi devices. No source code has been made available to the general public through this builder. It only offers the ability to add a generate keys and inject a custom ransom note into the already compiled binaries. Any previous detections in place should still detect these “new” Babuk samples. Binary Defense highly recommends that all organizations read and implement steps from the CISA (Cybersecurity & Infrastructure Agency) and NCSC (National Cyber Security Centre) ransomware guides. The guides contain detailed information that any organization can use, describing in detail how to backup and protect data, create incident response plans and more.
"The Babuk v.2.0 is proud to present a huge upcoming update."
These skids.
😂
They "worked hard for weeks" to make their old leak site "Payload.bin" only to start a new domain with their old site?
🤦♂️
Also you know, they said they "no longer encrypt information on networks", so… pic.twitter.com/uSgGlj6Yi5— MalwareHunterTeam (@malwrhunterteam) July 1, 2021
