The Babuk ransomware gang appears to be back in action as it was found targeting and encrypting multiple corporate networks. The recent attack on the Metropolitan Police Department, followed by increased pressure from law enforcement could be the reason behind its exit from the ransomware business.
Earlier, the operators had announced that they were planning to release the malware code to the public. However, they have released a new version of their malware, indicating that they wish to get back into the ransomware business.
The gang made a comeback after announcing its departure from the ransomware business in favor of data theft extortion a few weeks ago.
The gang is now using a new version of its file-encrypting malware disguised as PayLoad Bin, and its news leak site showed little activity recently.
Meanwhile, in a recent ransomware attack, the leaked Babuk builder was used. In this attack, the attackers demanded .006 bitcoin as ransom.
Recent activity of Babuk ransomware
The current news about the comeback suggests that the plan for the data theft extortion model did not come out well for them.
A month ago, the builder for the Babuk ransomware was found online. It was providing easy access to develop advanced ransomware, allowing criminal groups to get into the ransomware business.
In May, the Babuk ransomware group had targeted a Tokyo-headquartered manufacturer of power tools. The targeted firm was identified as Yamabiko and its name was added to the data leak site.
Conclusion
Firstly announcing their exit and then facing a leak of their builder that can enable the creation of custom ransomware variants indicates that the group is desperate to stay alive. Moreover, their plan did not go well and they returned to their old successful business. This indicates that enterprises are still facing enormous threats from gangs such as Babuk and that they need to keep holding their protective shields tight.