The builder can be used to create a custom version of the ransomware to encrypt files on Windows systems, NAS and VMWare ESXi servers.
The Babuk Locker ransomware design pattern (builder) has leaked onto the Internet, with the result that any criminal group seeking to enter the cyber ransomware scene can access it with little or no development effort.
According to the copies of leaked files obtained by The Record, the Babuk Locker builder can be used to create a custom version of the ransomware for encrypting files on Windows systems, on ARM-based network attached storages (NAS) and on VMWare ESXi servers. In addition, decryptors are also generated for each ransomware created using the builder, allowing you to recover the encrypted files of each victim.
The Babuk Locker design pattern was leaked two months after its creators announced they would end ransomware operations following a high-profile attack on the Washington Police Department in late April. Cybercriminals retired at the end of May when their leaked site was renamed Payload.bin and began operating as a third-party host for other cyber ransomware that does not have their own sites to publish their victims’ data.
Ransomware leak time – Babuk's builder. Used for making Babuk payloads and decryption.
builder.exe foldername, e.g. builder.exe victim will spit out payloads for:
Windows, VMware ESXi, network attached storage x86 and ARM.
note.txt must contain ransom.https://t.co/K3J3zr1XBv pic.twitter.com/1bl7oc0TvO
— Kevin Beaumont (@GossiTheDog) June 27, 2021
At the time of writing, it was unclear if the builder was leaked as a result of a failed transaction when the creators of Babuk Locker tried to sell it to a third party, or if the design pattern was deliberately published by a rival group or security researcher.
Catch up on more articles here
Follow us on Twitter here