What is Babuk?

Babuk is a type of Ransomware and the name of the group that operates it (also called Fancy Gang, Vasa locker or Baby), whose activity was concentrated in 2021. It was characterised, among other things, by its ability to infect both Windows and NAS environments, as well as ESXi environments (VMWare hypervisor nodes). 

Its discovery by cybersecurity researchers came at a time of trend for what is now known as RaaS (“Ransomware as a Service”), where ransomware is no longer a standalone malware that jumps independently in search of new victims, but an organisational model, where the compromises and execution of ransomware are managed by an organised group of operators, developers and managers.

As of today, the group has significantly reduced its activity and could be considered inactive. This is because in mid-2021, Babuk’s source code was leaked on hacking forums by one of its developers. Thanks to this leak, all its capabilities could be identified, such as the use of TTPs and the deletion of shadow copies (to prevent the recovery of the system to a point prior to infection), and the interruption of legitimate processes that allow detecting the actions of the ransomware, among others.