Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The seemingly rebooted threat actor posted a swathe of victims in the last couple of days – but none of them are unique to Babuk.
After nearly a year of inactivity, the Babuk ransomware group’s darknet leak site saw a torrent of activity on 27 January, with the gang claiming more than 60 organisations as victims.
Included in the list were at least three Australian businesses, but the apparent leaks – with many datasets already available to download – are not what they seem.
The new leaks are not new; they are, in fact, data exposed in previous ransomware attacks by gangs such as RansomHub, FunkSec, and LockBit. Not only does the data appear to be duplicated on mass, but so is the copy accompanying each leak.
For instance, the hacking group FunkSec claimed the University of Sydney-based Fresh Produce Safety Centre Australia & New Zealand as a victim in December 2024. At the time, the gang said: “We are breach today database with full dump tables.”
And here’s what Babuk posted a couple of days ago:
“Today we are posting here the new company – fpsc-anz.com,” the allegedly new leak post said.
“We are breach today database with full dump tables from fpsc-anz.com for free download.”
Other leaks, previously published by RansomHub and others, also feature the same copy.
According to threat tracker RansomLook.io, this iteration of Babuk appears to be a new operation.
“At this current time there is no apparent connection to the original Babuk operation besides reusing the Babuk site template and logos,” an update on RansomLook said.
“The group is also known as Babuk2 by other trackers.”
Duplicating older leaks is not a new tactic. LockBit was observed doing much the same thing with Australian company Design Intoto in September 2024. However, RansomHub had already claimed the attack – and published the data – in April of the same year.
“Based on the current cyber landscape, we understand this new mention is likely an attempt by a separate group to recycle the data involved in the cyber incident reported in April,” a Design Intoto spokesperson told Cyber Daily at the time.
“We are advised that ‘data recycling’ events from prior cyber incidents are becoming increasingly common among certain cyber groups.”
The original Babuk ransomware group was first observed in 2021. It went on a short hiatus after announcing in the same year that it was retiring, but just months later was back in action.
In this new case, according to RansomLook, “it is important to note that the original Babuk DLS was hosted and available up until February 26th, 2024”.
Now, it looks like someone else has moved in and is trying to cash in on the previous group’s reputation.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
