Full Source Code Leaked of Babuk Ransomware on Hacker forum

An attacker has leaked the complete source code for the Babuk ransomware on a Russian-speaking hacking forum. Babuk Locker, also known internally as Babyk, is a ransomware operation that started at the beginning of 2021 when it starts targeting businesses to steal and encode their information in double-extortion attacks.

Right after attacking the Washington DC’s Metropolitan Police Department (MPD) and feeling the heat from U.S. law enforcement, the ransomware group claimed to have shut down their operation. However, members of a similar gang disintegrate off to restart the ransomware as Babuk V2, where they constantly encode the victims of this day.

Entire Source Code Posted on a Hacker Forum

As already noticed by security investigators group vx-underground, a purported member of the Babuk group posted the full source code for their ransomware on a well-known Russian-speaking hacking forum. This member claimed to go through terminal cancer and decided to reveal the source code while they have to “live like a human.”


As the leak includes all things a threat actor requires to create a functional ransomware executable, our experts have improved the links to the source code. The transmitted file includes various Visual Studio Babuk ransomware projects for VMware ESXi, NAS, and Windows encryptors, as given below:


The Windows folder includes the complete source code for the Windows encryptor, decryptor, and what comes to be a private and public key generator.


Such as, the source code for the encryption scheduling in the Windows encryptor can be seen below:


Ransomware expert and Emsisoft CTO Fabian Wosar and inn from McAfee Enterprise have both told our experts that the leak appears legitimate. Wosar also stated that the leak may contain decryption keys for past victims.

Of Tales of Dishonesty and Attack indirectly

Babuk Locker has a sordid and public history involving betrayal and backstabbing that led to the group disintegrating. Our Experts have taught from one of the Babuk ransomware group members that the group disintegrated after the attack on the Washinton DC’s Metropolitan Police Department (MPD).

After the attack, the ‘Admin’ allegedly wanted to leak the MPD data for advertising, while the other gang members were against it. (“We’re not good guys, but even for us it was too much).”-Babuk threat actor. After the data leak, the group splintered with the original Admin forming the Ramp cybercrime forum and the rest beginning Babuk V2, where they proceed to conduct ransomware attacks.

Soon after the Admin launched the Ramp cybercrime forum, it suffered a series of DDoS attacks to make the new site unusable. The Admin accused his previous partners of these attacks, while the Babuk V2 team told our experts that they were not responsible.

“We completely forgot about the old Admin. We are not interested in his forum,” the threat actors told our experts during the conversation. To add to the group’s controversy, a Babuk ransomware builder was leaked on a file-sharing site and was used by another group to begin their ransomware operation.

It appears that Babuk is not alone with stories of backstabbing and betrayals. After Wosar setup up a Jabber account for threat actors to contact him, he tweeted that he has received Intel from threat actors who feel “exploited” by their partners and decided to leak information in revenge.

Leave a Reply