Skip to main content

Operator dossier

Babuk is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 188 public victims claimed by this operator between October 25, 2020 and April 23, 2025. Babuk is a ransomware group that emerged in October 2020, operating primarily for financial gain through extortion campaigns targeting organizations across multiple sectors. The group is believed to have originated from Russian-speaking cybercriminal networks and operates independently rather than as a traditional Ransomware-as-a-Service model, though they have shown willingness to collaborate with affiliates. Babuk typically gains initial access through exploitation of unpatched vulnerabilities in public-facing applications and weak remote desktop protocol credentials, employs double extortion tactics by exfiltrating sensitive data before deploying their custom encryption malware, and threatens to publish stolen information on their dedicated leak site if ransom demands are not met. The group gained significant notoriety in May 2021 when they successfully breached the Washington D.C. Metropolitan Police Department, stealing and threatening to release sensitive law enforcement data including information on criminal investigations and police personnel. Following increased law enforcement attention after the police department attack, Babuk announced in May 2021 that they were ceasing ransomware operations and would focus solely on data theft and extortion, though various security researchers have observed continued sporadic activity from the group or actors using similar tools and techniques.

Most-targeted sectors

Most-affected countries

Recent disclosures by Babuk

Most recent 150 of 188 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Babuk

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Babuk

188 victims indexed · first seen 6 years ago · last activity 1 year ago

188
Victims indexed
#42 of 364 tracked operators
4y 6m
Active period
Oct 2020 → Apr 2025
10
Countries hit
top United States · 34

At a glance

Status
inactive
First seen
6 years ago
Last activity
1 year ago
Onion sites
2 known endpoints
Primary sector
Public Sector · 43 hits

About

Babuk is a ransomware group that emerged in October 2020, operating primarily for financial gain through extortion campaigns targeting organizations across multiple sectors. The group is believed to have originated from Russian-speaking cybercriminal networks and operates independently rather than as a traditional Ransomware-as-a-Service model, though they have shown willingness to collaborate with affiliates. Babuk typically gains initial access through exploitation of unpatched vulnerabilities in public-facing applications and weak remote desktop protocol credentials, employs double extortion tactics by exfiltrating sensitive data before deploying their custom encryption malware, and threatens to publish stolen information on their dedicated leak site if ransom demands are not met. The group gained significant notoriety in May 2021 when they successfully breached the Washington D.C. Metropolitan Police Department, stealing and threatening to release sensitive law enforcement data including information on criminal investigations and police personnel. Following increased law enforcement attention after the police department attack, Babuk announced in May 2021 that they were ceasing ransomware operations and would focus solely on data theft and extortion, though various security researchers have observed continued sporadic activity from the group or actors using similar tools and techniques.

Timeline

6 months
2020-10-01T00:00:00+00:00 · 12021-04-01T00:00:00+00:00 · 22023-07-01T00:00:00+00:00 · 52025-01-01T00:00:00+00:00 · 662025-03-01T00:00:00+00:00 · 942025-04-01T00:00:00+00:00 · 20
2020-10-01T00:00:00+00:002025-04-01T00:00:00+00:00

Top countries

🇺🇸 United States
34
🇧🇷 Brazil
15
🇮🇳 India
10
🇮🇩 Indonesia
9
🇨🇳 China
7
🇫🇷 France
5
Iraq
5
🇹🇭 Thailand
5

Top sectors

Public Sector
43
Technology
33
Healthcare
15
Manufacturing
12
Financial Services
9
Energy
7
Telecommunication
7
Agriculture and Food Production
6

MITRE ATT&CK

11 techniques · 8 tactics

Tactics

Initial AccessExecutionDefense EvasionDiscoveryLateral MovementCollectionExfiltrationImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1070Indicator Removal on Host
  • T1082System Information Discovery
  • T1083File and Directory Discovery
  • T1021Remote Services
  • T1005Data from Local System
  • T1039Data from Network Shared Drive
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Detection · YARA rules

2 rules
  • Ransom_Babuk

    YARA rule from ATR/Trellix: ransomware/RANSOM_BabukLocker_Jan2021.yar

    source: ATR/Trellix

  • RANSOM_Babuk_Packed_Feb2021

    YARA rule from ATR/Trellix: ransomware/RANSOM_Babuk_Packed_Feb2021.yar

    source: ATR/Trellix

Recent victims

Loading…

Onion infrastructure

2 known
  • http://nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion
  • http://nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion/

Source

Updated 1 year ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Babuk posts a victim.

Add Babuk to your watchlist — Pro pings you within 5 minutes of any new Babuk leak-site post, Telegram callout, or affiliate-rebrand inference.