Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The Babuk ransomware operation resurrected itself this year with a wave of recycled data leaks, but research reveals a far more subtle – and dangerous – operation within the ransomware landscape.
When the Babuk operation re-emerged in January, it appeared easy to dismiss.
The gang burst back onto the scene with more than 60 organisations listed on its apparent leak site, but some brief investigation revealed that every leak was recycled from previous ransomware attacks claimed by groups such as RansomHub, FunkSec, and LockBit.
The data volumes, the data itself, even the descriptions of the leaks themselves were taken straight from previous leak posts.
It made it seem that Babuk – also referred to as Babuk2 – was an operation to be dismissed as a mere copycat outfit. It’s certainly how we here at Cyber Daily treated it.
However, new research from Trustwave suggests that while there was something definitely not quite right about many of Babuk2’s claims, there’s more to the group than meets the eye.
Data commoditisation
Trustwave’s John Basmayor took a deep dive into Babuk2’s operations that began in January. He, too, felt there were some major red flags in the group’s methodology, even down to the near note-perfect recreation of the original Babuk leak site.
He observed what everyone else had seen – that the initial 60-odd victims had been previously listed elsewhere – but also noted some rather more coordinated leveraging of those previous data leaks.
“Here’s where it gets interesting. While tracking the leak patterns, a name kept popping up: Bjorka,” Basmayor said in a 1 April blog post.
“This wasn’t just some haphazard data reuse effort – we were looking at a carefully orchestrated campaign by a threat actor who’d been busy building its reputation across multiple platforms.”
The researcher was able to correlate posts on Bjorka’s Telegram channel that aligned with Babuk2’s activity in the lead-up to its re-emergence.
“The group had been steadily building up its operation, testing the waters with individual data sales before making the jump to a full-blown ransomware impersonation play,” Basmayor said.
Babuk2 wasn’t just relying on its darknet presence but also on communications channels on other messaging platforms, hacking forums, and its own clear net website, where it presented itself as a professional data broker, with a “clean interface, clear pricing information, and readily available sample data”.
What Basmayor observed was a group using smaller leaks to spark interest and pressure its victims, before moving its extortion operations to larger platforms. And while initial ransom demands are high, often peaking at US$500,000, the group is more than happy to negotiate down to a mere US$50,000 for “serious buyers”.
“Bjorka’s pricing strategy isn’t random – it is playing a clever game of market psychology,” Basmayor said.
“It’s a tiered approach that maximises potential profits while maintaining market credibility.”
By taking this approach, Babuk2 is carefully building a brand to attract not only new affiliates, which it appears to be actively recruiting, but also to commoditise data that is already out there and make the most of it.
Evolving tactics
Aside from its operational and tactical competency, little else is known about Babuk2. The group is active online during Asian business hours, which suggests the group is either an entirely new operation that simply uses the Babuk name and brand or that Babuk now more closely aligns with the Asian hacking community.
What is known, however, is that we may be observing a paradigm shift in the cyber criminal ecosystem.
“This isn’t just another copycat operation – it’s a glimpse into the future of data-driven cyber crime,” Basmayor said.
“The genius of this operation lies not in its technical sophistication (though that’s impressive enough) but in its business model. Bjorka has essentially created a sustainable ecosystem around recycled data, proving that in the digital underground, information isn’t just power – a renewable resource.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
