Babuk
Babuk is a ransomware family and ransomware operation that emerged in early 2021 and is also referred to as Babyk, Babuk Locker, Babak, and Vasa Locker. It is a double-extortion ransomware family that has targeted enterprise environments and has variants for Windows, VMware ESXi, and NAS/Linux systems. The Babuk source code and builders were leaked in September 2021, including a C++ ELF ESXi locker, a Go-based NAS locker, and Windows tooling. That leak significantly lowered the barrier to entry for other actors and led to widespread reuse of Babuk code in later ransomware families and campaigns, especially ESXi-targeting lockers, complicating attribution.
Documented Babuk capabilities in the provided content include stopping antivirus services, deleting shadow copies via "vssadmin.exe delete shadows /all /quiet", and use of DLL sideloading. One reported technique involved abusing the legitimate NTSD.exe debugger for DLL sideloading to deliver ransomware. Babuk-derived ESXi implementations use the Sosemanuk stream cipher, while Babuk Windows uses HC-128; both use Curve25519-Donna for key generation according to the cited research. Babuk-based ESXi lockers commonly target VMware-centric files and are used to encrypt hypervisor-hosted virtual machine data.
The malware and/or its codebase has been associated in the content with multiple threat actors and campaigns. Babuk was cited as used alongside LockBit 3.0 by groups targeting Russian organizations, including Crypt Ghouls and Head Mare/Twelve-linked activity, with Babuk used on Linux, ESXi, NAS, or other non-Windows systems while LockBit was used on Windows. F.A.C.C.T. reporting also described the Shadow/Comet/DARKSTAR group using Babuk for file encryption. Cisco Talos reported observing Babuk files in a Storm-2603-linked intrusion, although in that case the Babuk component failed to encrypt and only renamed files. U.S. authorities also named Babuk in charges against Mikhail Pavlovich Matveev for alleged participation in conspiracies involving LockBit, Babuk, and Hive.
The content highlights Babuk’s broader ecosystem impact. SentinelLABS identified numerous VMware ESXi ransomware families derived from leaked Babuk code, including variants linked to Play, Mario/Ransom House, Conti POC/Conti ESXi, and additional families such as Cylance ransomware, Dataf Locker, Rorschach/BabLock, Lock4, RTM Locker, and XVGV. Other malware discussed as Babuk-derived or Babuk-based include Astralocker-derived tooling, SEXi’s Linux variant, and EndPoint/Midnight. The leak also influenced later groups such as The Gentlemen, whose developers reportedly reverse engineered Babuk samples along with Qilin, LockBit, and Medusa.
Historically, Babuk attacked the Washington, D.C. Metropolitan Police Department in April 2021. The content states that after increased law-enforcement pressure, Babuk claimed to shut down, after which members splintered into other efforts including the RAMP forum and Babuk V2. High-confidence aliases present in the content are Babuk, Babyk, and Vasa Locker.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
3 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The version of Velociraptor observed in this incident was outdated (version 0.73.4.0) and exposed to a privilege escalation vulnerability (CVE-2025-6264), which may have been leveraged for persistence as this vulnerability can lead to arbitrary command execution and endpoint takeover.
"...others support or sell ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper."
...threat actors have been observed weaponizing a vulnerable version of Bitrix for initial access, followed by using the Zerologon flaw to escalate privileges.
Groups observed using it
23 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Talos IR responded to Warlock, Babuk and Kraken ransomware variants for the first time... Notably, we also observed evidence of Babuk ransomware files on the customer’s network in this engagement, which has not been previously deployed by Storm-2603 according to public reporting, though it failed to encrypt and only renamed files.
As in previous attacks, they encrypted data using variants of LockBit 3.0 (for Windows systems) and Babuk (for NAS devices).
As the final payload, the group used the well-known ransomware LockBit 3.0 and Babuk.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Threat actors predominately exploited public-facing applications for initial access this quarter... Almost 40 percent of all engagements involved ToolShell activity... attackers began actively exploiting two path traversal vulnerabilities affecting on-premises SharePoint servers... resulting in unauthenticated remote code execution.
Execution
1 technique
Execution
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Stealth
4 techniques
Stealth
... разработчики The Gentlemen систематически реверсят семплы Babuk, Qilin, LockBit 5.0 и Medusa, вытаскивая ... техники обфускации (T1027) ...
The deception is deliberate, designed to mislead victims and possibly even seasoned investigators into misidentifying the actual threat actor behind the attack.
Discovery
3 techniques
Discovery
The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Lateral Movement
1 technique
Lateral Movement
Exfiltration
3 techniques
Exfiltration
The police documents were stolen and published by the ransomware attack group Babuk...
Impact
5 techniques
Impact
running its ransomware payload there to directly encrypt the virtual disk images on the nodes
Examples include Babuk 'can stop anti-virus services', BOLDMOVE disabling daemons, Conficker terminating services, Lazarus malware disabling Windows services, and SolarWinds Compromise where APT29 'used the service control manager on a remote system to disable services associated with security monitoring products.'
Akira will delete system volume shadow copies via PowerShell commands. Avaddon deletes backups and shadow copies using native system tools. Babuk has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet. BlackCat can delete shadow copies using vssadmin.exe delete shadows /all /quiet and wmic.exe Shadowcopy Delete; it can also modify the boot loader using bcdedit /set {default} recoveryenabled No.
Other
2 techniques
Other
The content repeatedly describes threat actors and malware disabling, stopping, uninstalling, or modifying antivirus, EDR, Windows Defender, AMSI, logging, and other security controls.
Examples include 'Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools', 'BlackByte disabled security tools such as Windows Defender', 'Scattered Spider has uninstalled and disabled security tools', and many malware families terminating AV/EDR processes or services.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
96 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as a ransomware family whose samples were reverse engineered by The Gentlemen developers to extract encryption routines, obfuscation techniques, and EDR evasion methods.
Babuk is referenced as one of the ransomware codebases/samples used as inspiration for development of The Gentlemen encryptor.
소스코드 유출 이후 여러 파생 랜섬웨어가 등장한 랜섬웨어 프레임워크/패밀리로, 본문에서는 EndPoint의 기반이 된 계열로 언급된다.
Ransomware family/operator referenced as abusing DLL sideloading through NTSD.exe to deliver ransomware.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.