A builder for Babuk Locker ransomware has been leaked online, allowing easy access to an advanced ransomware strain. Because of this, any interested individual or criminal group with little technical skills can start their own ransomware operation.

What happened?

According to researchers, this builder can be used to create custom versions of Babuk Locker. These versions can encrypt files hosted on Windows, ARM-based NAS devices, and ESXi servers.
  • Moreover, every custom version of Babuk encryptor created using the builder app can generate decrypters. They can also be used to restore the encrypted files from each victim.
  • The leak happened two months after the ransomware gang announced about retiring from ransomware operations, which was soon after the attack on the Washington, DC police department in April.
  • In May, the gang rebranded its ransomware leak site as Payload[.]bin. Further, it started working as a third-party host for other ransomware gangs who wanted to leak files from victims, however, did not want to operate their own leak site.
  • It is not known if the gang attempted to sell its ransomware builder to a third party in a transaction that went south, or if the builder was leaked by a rival gang or a security researcher.

Other leaked ransomware code

Babuk Locker’s builder was leaked online when it was uploaded on the VirusTotal malware scanning portal. Along with this ransomware, other crypto lockers got leaked online in the past some time:
  • Two weeks ago, the source code of Paradise ransomware was shared on a public hacking forum. The ransomware code was shared on a Russian-speaking forum known as the XSS.
  • Last year, ArisLocker ransomware’s source code was found to be spreading on the dark web. The strain had a weakness in its encryption system, enabling security researchers to exploit it.


The leak of such advanced ransomware code is a grave cause of concern for cybersecurity experts. It is surmised that such leaks allow small cybercrime gangs to adopt leaked builders to develop new ransomware. Thus, it is best for organizations to proactively apply security measures to avoid such threats.

Cyware Publisher