HOMETHREATSBabuk-Locker
APT / THREAT GROUP

Babuk-Locker

1
aliases

Intelligence Profile

Babuk‑Locker emerged in early 2021 as a Ransomware‑as‑a‑Service (RaaS) gang targeting high‑value “big game” enterprises across sectors like healthcare, telecommunications, finance, education, and government. It initially deployed crypto-ransomware—encrypting files using ChaCha8 encryption with keys secured via elliptic‑curve Diffie‑Hellman—and later added a double‑extortion model involving data theft and leak site threats. Notable incidents include attacks on the Washington, D.C. Metropolitan Police Department and other organizations. In mid‑2021, Babuk’s source code was leaked, prompting both a fragmentation of its core operations and emergence of variants like Babuk Tortilla and Babuk V2. Affiliates exploited vulnerabilities in ESXi hypervisors to deliver destructive variants, and law enforcement actions eventually disrupted key operators.

Threat Analysis

Babuk-Locker is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

External References

Quick Facts

TypeAPT / Threat Group
Aliases1

Also Known As

Babuk-Locker

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Babuk-Locker — APT / Threat Group | Threat Intelligence | CTIWATCH.COM