In the ever-evolving landscape of cybercrime, the recently surfaced ransomware group known as Babuk or Babuk2 has stirred significant controversy by claiming responsibility for multiple high-profile breaches. In a post to their data leak blog, the group boasted of having attacked 26 organizations, including major companies like Amazon, Cardinal Health, Delta, HSBC, Schwab, and US Bank. According to their announcement, they allegedly seized around 100 terabytes of sensitive information from each target, threatening to publish the stolen data unless a ransom is paid within a month. This alarming announcement reflects a classic intimidation tactic often employed by ransomware actors.
The group’s audacious claims, however, warrant skepticism. Industry experts, including Milivoj Rajić, head of threat intelligence at DynaRisk, suggest that Babuk2 may be attempting to exploit the reputations of earlier breaches, specifically those associated with the Cl0p ransomware group. Cl0p capitalized on a zero-day vulnerability in MOVEit, affecting over 95 million individuals and leading to substantial financial gains for criminal enterprises. Rajić pointed out that many of Babuk’s alleged victims were already compromised by Cl0p, raising concerns about the legitimacy and originality of Babuk2’s claims.
Particularly noteworthy is Babuk’s self-styled ascent into prominence under the false pretense of executing these attacks. Cybersecurity firm Halcyon has indicated that the Babuk name is being leveraged for credibility, with its current operator, known as Bjorka, operating anonymously on online forums. His previous affiliations with other extortion attempts reflect a pattern of behavior among emerging ransomware-as-a-service (RaaS) operations. What adds complexity to understanding Babuk2’s claims is the lack of evidence supporting their alleged engagement in live encryption attacks or fresh intrusions, leading analysts to suspect that recycled data from previous incidents may be at play.
Since its re-emergence in January, Babuk2 has purportedly been linked to the leaking of numerous databases belonging to private firms as well as governmental and defense-related agencies. However, the veracity of these claims remains problematic. Expert analysis reveals that for many of the databases promoted by Babuk2, the authenticity of the information cannot be substantiated. Rajić indicated that the group has also launched an affiliate program, termed Babuk 2.0, allowing other cybercriminals to utilize their ransomware tools in exchange for a share of any ransoms collected, encapsulating the increasingly collaborative and opportunistic nature of ransomware groups.
In terms of tactics employed, the MITRE ATT&CK framework suggests that initial access techniques such as leveraging compromised credentials or exploiting public-facing applications could have been utilized, particularly considering Cl0p’s history with vulnerabilities like MOVEit. Persistence methods might also be relevant, as maintaining access to previously compromised environments can be key for ransomware operations. Moreover, privilege escalation could explain how such large volumes of sensitive data might be accessed and exfiltrated undetected.
Despite their recent claims of success, Babuk2 faces substantial scrutiny from cybersecurity professionals. The consultancy GuidePoint Security reported that many victims allegedly named by Babuk2 matched prior claims from different threat entities like FunkSec and LockBit. These findings serve as a cautionary reminder for organizations to verify breach claims and to remain vigilant against potentially recycled data as a means of extortion.
As the intricacies of cyber incidents become increasingly convoluted, business owners must remain acutely aware of the tactics employed by ransomware groups. Relying solely on the proclamations of these criminal enterprises poses risks; the verification of claims and the assessment of actual breaches become paramount in navigating this precarious landscape. The Babuk2 case exemplifies the need for rigorous cybersecurity measures, as well as a critical examination of the motivations behind emerging ransomware groups operating within a fractured ecosystem of trust and deception.
