Threat Actor Profile

Babuk

Babuk is a cybercrime group that first popped up in early 2021, quickly making a name for itself with a ransomware-as-a-service (RaaS) model. These actors are known for double extortion—encrypting a victim's files while also stealing sensitive data and threatening to leak it. They primarily target large corporate and government entities.

Threat Actor Profile

Babuk

Country of Origin

The group is believed to be Russian-speaking, as they advertise on both English and Russian forums but focus on affiliate recruitment in Russian-speaking communities.

Members

The original group's size is unknown. In September 2021, a core member reportedly leaked the ransomware's complete source code, which led to its use by other criminal groups.

Leadership

The leadership structure and specific aliases are not publicly known. An individual known as "Bjorka" has been associated with a newer, copycat group called Babuk2, but this group is distinct from the original Babuk operation.

Babuk TTPs

Tactics

Babuk’s primary goal is financial gain through extortion. They achieve this using a "double extortion" tactic. First, they steal sensitive corporate data. Then, they encrypt the victim’s network files. This gives them two points of leverage: demanding a ransom to decrypt the files and another payment to prevent the public release of the stolen data.

Techniques

To get inside a network, Babuk actors rely on a few classic techniques. They often use phishing emails with malicious attachments or links to gain initial access. They also exploit known vulnerabilities in unpatched software and use brute force attacks to crack weak passwords. Once inside, they use command-line operations to spread across the network and encrypt resources.

Procedures

Babuk’s malware is designed to be efficient. Before encrypting files, it kills a predefined list of processes and services to avoid being detected by security tools. It uses strong encryption algorithms to lock down files and adds a unique extension. While the original group stated it would avoid targets like hospitals and non-profits, their attacks have hit a range of sectors, including transportation, manufacturing, and even the Washington D.C. Police Department.

Want to Shut Down Threats Before They Start?

Schedule a Demo Today

Notable Cyberattacks

The most infamous attack linked to Babuk was against the Washington D.C. Metropolitan Police Department in April 2021. The group claimed to have stolen 250 GB of sensitive data, including informant details and officer information. They threatened to release the data, leading to a high-pressure situation with law enforcement. This incident caused an internal rift within the group, reportedly leading to its initial shutdown and the subsequent leak of its source code.

More recently, a group calling itself "Babuk2" or "Babuk-Bjorka" emerged in early 2025. This group, however, appears to be a copycat. It has claimed responsibility for attacks on major companies by recycling data from previous breaches by other groups like Cl0p and KillSec, essentially trying to re-extort victims with old data. Security researchers have pointed out that there's no evidence of new network intrusions in these cases, calling it a bluff to build a reputation. So, if you see Babuk2 in the headlines, just know it’s likely not the OG crew.

Law Enforcement & Arrests

Following the high-profile attack on the Washington D.C. Police Department, Babuk faced intense pressure from U.S. law enforcement. Shortly after the attack, the group announced it was shutting down its ransomware operation. This pressure is also believed to have contributed to the internal disputes that led a disgruntled member to leak the ransomware's full source code on a Russian hacking forum in September 2021. While there have been no major arrests publicly tied to the original Babuk group, the leak effectively dismantled their unique operation.

How to Defend Against

Patch, Patch, Patch: Babuk exploits known vulnerabilities. Keep your software, operating systems, and firmware updated to close those easy entry points.

Strong Authentication: Enforce the use of strong, unique passwords and enable multi-factor authentication (MFA) everywhere possible. This makes brute-force attacks way harder.

User Training: Since phishing is a go-to tactic, train your team to spot and report suspicious emails. A savvy user is a great line of defense.

Limit Permissions: Follow the principle of least privilege. Users should only have access to the data and systems they absolutely need to do their jobs.

Monitor Your Environment: You can't stop what you can't see. Huntress Managed EDR provides 24/7 monitoring to detect threats like ransomware early. Our team of threat hunters analyzes suspicious activity, investigates potential intrusions, and provides actionable steps to shut down attacks before they can do major damage. We’ll help you spot the initial foothold and contain it, fast.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Fancy Bear threats withenterprise-grade technology.

Try Huntress for Free

Schedule a Demo

References

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a

https://www.bankinfosecurity.com/blogs/fake-out-babuk2-ransomware-group-claims-bogus-victims-p-3840

https://nsfocusglobal.com/a-deep-analysis-of-the-ransomware-group-babuk2s-recent-attacks/

https://www.lepide.com/blog/what-is-babuk-ransomware/

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free