The Babuk ransomware group has decided to close the affiliate program and switch to an extortion model that does not rely on encrypting victim computers, according to a new message sent out today by the gang. The clarification comes after the group posted and then deleted two announcements yesterday about their intention to close the project and release the malware's source code.
The group seems to have taken a different path than the ransomware-as-a-service (RaaS) model, in which the hackers steal data before deploying the encryption stage to use as leverage in ransom payment negotiations.
Babak's newly announced model is nearly identical except for the data encryption part, according to a third "Hello World" message posted on their leak site. In other words, the cybercriminals will run an extortion-without-encryption operation, demanding a ransom for data stolen from compromised networks.
“Babuk changes direction, we no longer encrypt information on networks, we will get to you and take your data, we will notify you about it if you do not get in touch we make an announcement,” stated Babuk ransomware.
Maze ransomware began exfiltrating data in November 2019 in order to boost ransom demands. All big ransomware operations quickly adopted it. In starting of 2021, Clop ransomware exploited zero-day vulnerabilities in Accellion's File Transfer Appliance to ran a series of data-theft attacks on high-value companies without encrypting systems. The group stole a large number of files and demanded large sums of money in exchange for not leaking or trading the information.
Several victims paid tens of millions of dollars in ransom. Babuk ransomware claims that despite being a new team on the ransomware scene, they are already well-known in the industry because they have “the best darknet pentesters.”
The benefits of this extortion business for Babuk are currently unclear, but the group will have to exfiltrate greater amounts of data than with encryption. Babuk reports one victim from whom they claim to have copied 10 terabytes of data on their leak site. The group claims to have stolen 250GB of data from the Metropolitan Police Department (MPD) in their most recent attack. It's also possible that this will increase the group's benefit, either by requiring higher ransoms or by selling the data to competitors or other parties.
RaaS operations have become so large in terms of affiliates that it's difficult to keep track of anything. This has recently translated into technological and management changes that have resulted in victims losing data due to faulty decryption tools or having to deal with multiple attacks by the same group.
This happened with Conti, Lockbit, and REvil and these issues affected many ransomware gangs that were dependent on their reputation of a party that respects their end of the deal to demand higher ransoms.