Babuk ransomware source code leaked

A threat actor has leaked the complete source code of the Babuk ransomware on an underground forum.

Babuk Locker, also known internally as Babyk, is a ransomware operator active since early 2021 with the launch of double-extortion attacks (Ransomware Double-Extortion). After targeting the Metropolitan Police Department (MPD) in Washington DC and thereby attracting the attention of U.S. law enforcement, the ransomware gang claimed to have ceased operations. However, a faction of group members separated to relaunch the ransomware under the name Babuk V2, which remains active today.

Source code leaked

An alleged member of the Babuk group released the complete source code of the ransomware on a Russian forum. This member claimed to be suffering from terminal cancer and decided to release the source code.

The shared file contains multiple Visual Studio Babuk ransomware projects targeting VMware ESXi, NAS, and Windows encryption. Below is shown the VS project for Windows systems.

Babuk ransomware employs elliptic curve cryptography (ECC) as part of its encryption routine. Within the leaked code are folders containing compiled encryptors and decryptors tailored for specific victims of the ransomware gang. Fabian Wosar, a noted researcher at McAfee, revealed that these folders also contain files that may represent ECC decryption keys for certain victims, as shown in the following image; however, this has not yet been confirmed. Our Cyber Threat Intelligence operations have tracked the distribution of such artifacts across multiple threat actor communities, indicating accelerated capability proliferation among secondary ransomware operators.