Babuk ransomware gang, which was discovered at the beginning of 2021, is known to target multiple sectors such as healthcare, manufacturing, and logistics. It has been very active recently and is demanding thousands of dollars in ransom from its victims.

Why Babuk is a growing threat?

Criminals behind the ransomware strain practice the double extortion technique, where operators lock up files after stealing data. The gang’s ransom payment demands generally range from $60,000 to $85,000.
  • In one month alone, the gang has attacked several organizations, including Houston Rockets, Phone House Spain, Metropolitan Police Department, and Telethon: biotech.
  • This month, it has targeted sports, communications, and government entities. Previously, the known targets included manufacturing entities as well.
  • The gang has recently included new features that ensure victim machines can be encrypted before the ransomware is deployed. Moreover, the group has set up a website to leak data and pressure victims into paying the ransom.

Infection vectors 

Babuk group employs multiple infection vectors, such as email phishing where the group sends an initial email linked to a different malware strain, Trickbot or Emotet, that acts as a loader.
  • The ransomware gang is known for exploiting publicly disclosed but unpatched common vulnerabilities and exposures, especially in remote access software, network edge hardware, web servers, and firewalls.
  • The group breaks inside the targeted network of a victim by using valid (compromised) accounts. This is usually done via weakly protected RDP access with credentials acquired via commodity infostealers.


Babuk ransomware is one of the newest ransomware gangs that started its operations this year. Within a small time frame, it has made its name into the list of successful ransomware groups. Therefore, security researchers need to keep a strict eye on this malware to track the progress of this threat.

Cyware Publisher