Babuk Locker became the first new ransomware family of the year and has been observed targeting a number of victims around the world. It uses multithreading encryption and abuses Windows Restart Manager. After encryption, it demands ransom ranging between $60,000 and $85,000 in Bitcoin.

What has been discovered?

Babuk Locker is following the same path paved by other well-known ransomware families - the double extortion path. 
  • To date, Babuk Locker has five known victims from around the world, including an office furniture firm, car parts manufacturer, medical testing products manufacturer, elevator/escalator company, and a U.S.-based air conditioning company.
  • Each Babuk Locker executable has been customized on a per-victim basis that includes a hardcoded extension, Tor victim URL, and ransom note. Although the coding is amateurish, the encryption is secure.

Modus Operandi

  • When executed, a command-line argument is used to control how the ransomware should encrypt network shares, and whether they should be encrypted before the local file system.
  • When launched, the ransomware terminates multiple Windows services and processes that may prevent encryption. The terminated services include email clients, database servers, backup software, mail servers, and web browsers.

More ransomware victims this year

At the beginning of 2021, several other ransomware families have been observed targeting several victims.
  • Recently, a data archive belonging to NameSouth has been publicly leaked by the NetWalker group.
  • Apex, a clinical laboratory, fell victim to a cyberattack claimed by the DoppelPaymer ransomware group.


Ransomware attacks have been prominent throughout last year and this trend could continue in the current year as well. Thus, experts suggest having a proactive strategy, such as regular backup of important data, frequently updating operating systems and applications with the latest patches, and staying alert while receiving emails from unknown senders.

Cyware Publisher