Technical issues compel ransomware operator to switch to good ol' data theft and extortion

Holding data hostage

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Unable to fine tune their decryptor, the threat actors behind theBabuk ransomwarehave changed their business model, and are no longer encrypting their victim’s data, according tocybersecurityresearchers.

While it initially attackedWindows machines, theransomwarehad added a cross-platform binary that allowed it to targetLinuxmachines as well as VMware ESXi-powered virtual machines (VM).

However, the researchers observed that Babuk’s decryptor had numerous issues, which meant the files they encrypted weren’t always recoverable, even by their own decryptor.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“Ultimately, the difficulties faced by the Babuk developers in creating ESXi ransomware may have led to a change in business model, from encryption to data theft and extortion,” reason the researchers in ablog post.

Forced change

McAfeeAdvanced Threat Research (ATR) team has been tracking the relatively new Babuk ransomware, which hastargeted at least five major businessesin 2021.

According to the researchers, the ransomware is written in theopen sourceGo programming language, which enables the threat actors to have a single codebase that can be compiled under differentoperating systems.

In theirtechnical analysisof the Babulk ransomware, the researchers unravel its poorly designed decryptor, which they believe is the main reason behind the threat actor switching strategies.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The researchers claim that Babuk has itself shared its intentions to cease its ransomware operations and move to a different business model built around data exfiltration, in its website on the dark web.

Moving from a pure encryption, on to a double-extortion scheme, the researchers conclude that “it is interesting to see threat actors now moving towards a scheme where their sole source of pressure to extort victims is the exfiltration of sensitive data.”

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

This new malware utilizes a rare programming language to evade traditional detection methods

A new form of macOS malware is being used by devious North Korean hackers

I’ve been covering Apple Watch deals for years – This is the one model most people should buy on Black Friday