{
	"id": "bedb5876-f1bb-4424-8e78-9300ba07e923",
	"created_at": "2026-04-06T00:16:26.13978Z",
	"updated_at": "2026-04-10T03:20:20.846643Z",
	"deleted_at": null,
	"sha1_hash": "32b2925b0764bf119f25d73b8c98a818dc35e71c",
	"title": "Meet Babuk, a ransomware attacker blamed for the Serco breach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 34954,
	"plain_text": "Meet Babuk, a ransomware attacker blamed for the Serco breach\r\nBy Sean Lyngaas\r\nPublished: 2021-02-04 · Archived: 2026-04-05 17:49:57 UTC\r\nIt began with a laughable offer.\r\nSomeone calling themselves “biba99” on a popular criminal forum claimed on Jan. 5 to provide “non-malicious”\r\nsoftware to help organizations identify “security issues.” The author struggled to explain, in halting English, “why\r\nwe are not … criminals” while assuring readers that the group would not hack hospitals or schools.\r\nA month later, the attacker behind what appeared to be a bumbling forum post is reportedly claiming\r\nresponsibility for a ransomware attack on the multibillion-dollar outsourcing firm Serco.\r\nThe ransomware gang, dubbed Babuk after the strain of code it uses, is a case study in how quickly crooks can\r\nlearn the basics of digital extortion — and how that breeds ambition for big corporate scalps. It shows how even\r\nrelatively unsophisticated criminals can bedevil major corporations.\r\nAfter claiming to only target companies that earn less than $4 million, the Babuk attacker went after Serco, Sky\r\nNews reported on Sunday. The outsourcing firm reported more than $4 billion in revenue in 2019.\r\n“Serco’s mainland European business has been subject to a cyber attack,” a Serco spokesperson said. “The attack\r\nwas isolated to our continental European business, which accounts for less than 3% of our overall business. It has\r\nnot impacted our other business or operations.”\r\nThe incident comes after security firms and insurers increasingly have emphasized that digital extortionists learn\r\nfrom other attackers’ techniques, outsource some of their operations and rely on connections to infiltrate victim\r\nnetworks.\r\n“Like many actors new to the world of ransomware, the actor behind Babuk ransomware has been learning on the\r\njob while drawing insights from other criminal groups,” said Allan Liska, an intelligence analyst at the threat\r\nintelligence company Recorded Future.\r\n“As they have completed attacks, they have taken lessons learned and incorporated them into the code,” Liska\r\nsaid. He pointed to how the attacker has included new features that ensure victim machines can be encrypted\r\nbefore the ransomware is deployed.\r\nThe Babuk attacker has also set up a website to pressure victims to pay — a common tactic among ransomware\r\ncrooks.\r\nThe attacker has typically demanded $60,000 to $85,000 in ransoms, but that is “likely to increase over time as the\r\nthreat actor becomes more experienced in ransomware operations,” according to a private analysis from\r\nPricewaterhouseCoopers obtained by CyberScoop.  \r\nhttps://www.cyberscoop.com/babuk-ransomware-serco-attack/\r\nPage 1 of 2\n\nBabuk is far from sophisticated. Its code has contained errors that kept it from executing on some targeted\r\ncomputers, according to PwC. “We assess that, due to a disregard for error checking, Babuk would fail to execute\r\naltogether in some environments,” the analysis says.\r\nBut while Babuk is still a relatively low-level threat to organizations, according to Liska, that could change if they\r\nare able to earn more money from attacks and invest in new capabilities.\r\n“Efficacy breeds profit, which breeds capability in the ransomware business,” Liska said.\r\nSource: https://www.cyberscoop.com/babuk-ransomware-serco-attack/\r\nhttps://www.cyberscoop.com/babuk-ransomware-serco-attack/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cyberscoop.com/babuk-ransomware-serco-attack/"
	],
	"report_names": [
		"babuk-ransomware-serco-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434586,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32b2925b0764bf119f25d73b8c98a818dc35e71c.pdf",
		"text": "https://archive.orkl.eu/32b2925b0764bf119f25d73b8c98a818dc35e71c.txt",
		"img": "https://archive.orkl.eu/32b2925b0764bf119f25d73b8c98a818dc35e71c.jpg"
	}
}