Researchers Shed Light on Changes in Revived Babuk 2.0

A group initially believed to represent a resurgence of the Babuk ransomware gang surfaced recently under the name Babuk2. This group announced its return on January 27, 2025 claiming that the original Babuk had re-entered the ransomware scene. However, as per a recent report it has become apparent that the individuals behind Babuk2 were likely not affiliated with the original actors. Instead, they appear to be leveraging previously stolen data and capitalizing on the Babuk name in a re-extortion campaign aimed at maximizing financial gain.

The group announced their comeback in January by claiming responsibility for 61 victims via their data leak site, posting a message that stated: “Hello World, have you forgotten us? We are now back for you. By Babuk locker, maybe you have been waiting for our arrival for a long time. We give you our contact below if you want to contact us. Maybe today or tomorrow and so on we start operating as usual.”

The original Babuk gained notoriety following its final known attack on April 26, 2021 when it targeted the Metropolitan Police Department of Washington, D.C. That incident reportedly sparked internal conflict between group members known as dyadka0220 and boriselcin, leading to Babuk’s shutdown and split.

Regarding the resurgence of Babuk, Babuk2 may not be a continuation of the original Babuk ransomware group. Instead, an independent hacker group named Bjorka who has adopted Babuk’s name and attack templates may be behind the comeback. Additionally, much of the data the group claims to have actually originated from previous leaks by other ransomware groups.

Adding a further layer of complication, Searchlight Cyber analysts have obtained messages from a Telegram channel suggesting that the “Bjorka” involved in Babuk 2.0 may be an impersonator.

Telegram messages obtained by Searchlight analysts