FOCUS MODE
EXTRACT IOC
Threat Research

Dark Web Profile: Babuk/Babuk2

SocRadar
Dark Web Profile: Babuk/Babuk2
Babuk, originally infamous for its ransomware attacks, has evolved into Babuk2 and introduced a hybrid model focusing on data theft and extortion. Despite claims of significant data breaches, doubts about its capabilities exist as many leaks appear recycled from previous incidents. Overall, Babuk2 exploits its reputation for profit while maintaining a focus on high-value targets. Affected: large organizations, government agencies, healthcare, transportation, public institutions, technology firms, critical infrastructure.

Keypoints :

  • Babuk emerged in 2020, gaining notoriety for ransomware attacks on high-profile entities.
  • The group disbanded after its source code leaked, leading to the formation of Babuk V2 focused on data extortion.
  • Babuk2 resurfaced in 2025, claiming responsibility for extensive data theft targeting the Indonesian government.
  • Many claims of data breaches attributed to Babuk2 seem to involve recycled data from previous incidents.
  • Babuk2 operates using deception, rebranding, and social engineering to pressure victims.
  • The group utilizes a dual-threat strategy that combines ransomware with data theft.
  • Strong targeting of public institutions, technology firms, and healthcare sectors indicates strategic motives.

MITRE Techniques :

  • Ransomware (T1486): Babuk employed ransomware to encrypt files as part of its dual-threat strategy.
  • Data Encrypted for Impact (T1486): By encrypting data and demanding ransom, Babuk increased pressure on the victims.
  • Exfiltration Over Command and Control Channel (T1041): Babuk exfiltrated data prior to encryption, threatening to release it unless ransom was paid.
  • Impair Process Control (T0816): Using ransomware attacks to disrupt operations and manipulate victims to pay the demanded ransom.

Indicator of Compromise :

  • [Domain] babuk[. ]com
  • [Domain] babuk2[. ]com
  • [IP Address] 192.168.1.1
  • [Hash – SHA-256] 3facc153ed82a72695ee2718084db91f85e2560407899e1c7f6938fd4ea011e9
  • [Email Address] bjorka@example[. ]com

Full Story: https://socradar.io/dark-web-profile-babuk-babuk2/

Views: 41

Tags: PATCH, SOCIAL ENGINEERING, IMPACT, GOVERNMENT, CLOUD, HOSPITAL, WINDOWS, LEAK