Babuk Focuses On Data-Theft Extortion
The Operators of Babuk Ransomware Decided to Close the Affiliate Program and Move to an Extortion Model.
It looks like the attackers have taken a different approach from the ransomware-as-a-business (RaaS) model in which the hackers are stealing data before deploying the encryption stage, in order to use it as leverage in negotiations for a ransom payment.
According to a message they have posted on their leak site, the newly announced model remains almost the same, with the exception of the data encryption component.
Practically the cybercriminals will start running an extortion-without-encryption business, and therefore demanding ransomware for information stolen from the compromised networks.
Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement.
Maze ransomware started the practice of exfiltrating data for higher ransom demands back in November 2019, and this model was quickly adopted by all the major ransomware operations, with Clop changing their strategy as well in 2021. They stole a large number of files and asked for large payments in order not to leak or trade the data.
In the message posted by Babuk ransomware they are stating that despite being a new team on the ransomware scene, they already are well-known in the business because they have “the best pentesters of the darknet.”
It’s unknown so far what the advantages of this extortion business model will be for Babuk, but the gang would need to exfiltrate larger quantities of data than before.
Another possibility is that this tactic could drive up the group’s profit either by demanding higher ransoms or from selling the data to competitors.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
RaaS has become a phenomenon when it comes to affiliates and it’s very difficult to control every aspect of it, with victims losing their data lately because of poor quality decryption tools or needing to deal with attacks from ransomware gangs like Conti, Lockbit, and REvil.