Menu
Browse

Cyber Threat Actor: Babuk

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
10 incidents
Profile

Babuk, also known as Babuk Locker and internally as Babyk or Vasa Locker, is a ransomware threat actor that emerged at the beginning of 2021 and is believed to be based in Russia. The group describes itself as a non‑malicious entity created to expose security weaknesses in corporate networks, yet it engages in data theft, encryption and extortion operations. Publicly attributed activity shows a focus on the transportation, healthcare, plastic surgery, electronics and agricultural sectors, with observed activity concentrated in Germany, Hong Kong, Sweden and the United States, while they claim to avoid hospitals except private plastic surgery or dental clinics, non‑profitable charitable foundations, schools except significant universities and small businesses with annual revenue under four million dollars.

Their typical tactics begin with initial access gained through phishing emails, exploitation of unpatched CVEs, abuse of valid credentials via weak RDP connections, and, in at least one case, a VPN zero‑day vulnerability. Once inside a network, Babuk attempts to terminate services related to standard applications, backup programs, endpoint security solutions and server software before deploying its ransomware. The malware employs the ChaCha8 encryption algorithm, later upgraded to HC‑128, combined with Elliptic‑curve Diffie–Hellman key exchange, rendering decryption impossible without the private key. After compromising a network the group often exfiltrates large volumes of data—ranging from ten gigabytes to over seven hundred gigabytes—then threatens to leak the stolen information unless a ransom is paid, sometimes warning that data will be shared with criminal gangs or used to target additional government entities. Following a high‑profile attack on the Washington D.C. Metropolitan Police Department, the original Babuk faction claimed retirement due to law‑enforcement pressure, but a splinter group re‑emerged as Babuk V2, announcing a shift away from ransomware‑style encryption toward pure data‑theft extortion.

Publicly reported operations illustrate this pattern. In May 2021 the group claimed responsibility for compromising Japanese power‑tool maker Yamabiko Corporation, alleging the theft of 0.5 TB of data obtained via a VPN zero‑day. In April 2021 they hit Italian pharmaceutical firm Zambon, asserting seven months of undetected access and the exfiltration of approximately ten gigabytes. The same month they targeted the Washington D.C. Metropolitan Police Department, stealing 250 GB of operational and informant‑related files and demanding a four‑million‑dollar ransom while threatening to expose police informants to criminal networks. Also in April 2021 they attacked Spanish telecommunications provider Phone House Spain, affecting data on roughly three million users and demanding a six‑million‑dollar Bitcoin payment. Other notable incidents include the March 2021 breach of a U.S. military contractor (PDI Group) that yielded over seven hundred gigabytes of schematics and customer data, the January 2021 intrusion into Serco’s continental European division supporting NHS Test and Trace, and the January 2021 ransomware event against the Houston Rockets that resulted in the loss of approximately five hundred gigabytes of player contracts, financial records and personal data. A biotechnology firm focused on gene and cell therapy was similarly hit in March 2021 with roughly twenty‑three gigabytes taken. In January 2024 Cisco Talos, Dutch Police and Avast released a decryptor for the Babuk Tortilla variant after obtaining the private key, underscoring the effectiveness of the group’s encryption when the key is retained. Defensive recommendations highlighted by researchers include rigorous patch management, monitoring for anomalous behavior, strict control of administrative tools and the protection of sensitive data stores. This summarizes the factual attributes of Babuk as presented in the supplied sources.

Incidents
Attributed incidents available to members
10 incidents
Sources
Sources available to members
9 sources