CyberSec Chronicles

CyberSec Chronicles

This New Year’s double extorsion ransomware evolution landscape started with a peculiar specimen dubbed Babuk, put in spotlight in this first chronicle.


This New Year’s double extorsion ransomware evolution landscape started with a peculiar specimen dubbed Babuk. The latter was put in the spotlight as its operators hit several corporations in a relative short range of time amongst which, the prominent global government outsourcer Serco exhibiting a revenue of over £ bn in 2019 and being behind NHS Test and Trace.
The Sogeti CERT ESEC Threat Intelligence (CETI) team thought that Babuk would be a textbook case for our first chronicle that illustrates how quickly inexperienced threat actors can nowadays grasp from scratch the means of conducting single, double, and even towards triple extortion schemes. Even more striking is how fast Babuk’ operators adopted a Ransomware-as-a-service model by recruiting affiliates from underground Russian-speaking forums.

Executive Summary

In contrast with previously observed ransomware threat actors, Babuk’ operators advertise in English on more visible hacking forums. This new ransomware also lacks « kill-switches » that is a common feature usually tailored by the top-tier ransomware ecosystem when detecting languages of the Commonwealth of Independent States (CIS) set as default. Another peculiar trait of Babuk’ operators was a message posted on their DLS (dedicated leak site) claiming that organisations or NGOs will not be attacked except those who support LGBT or Black Lives Matter (BLM). Such conservative political statements are uncommon for ransomware operators but could be consistent for a hacktivist group of Muslim faith as substantiated by several elements described in our analysis from ‘social media intelligence’-oriented research. Beyond already reported operational security measures errors in the Babuk codebase pinpointed by researchers, to which Babuk’ operators are very attentive to, we also found misconfigurations of their first version of DLS. From the former observation and thanks to the support of our internal Purple Team, we could elaborate a vaccine in a credible simulated enterprise environment that demonstrated the prevention of files encryption operated by recent variants of Babuk ransomware.


Download the report