{
	"id": "c58d6d12-b62f-426a-8c88-db796c705c1c",
	"created_at": "2026-04-06T00:09:26.428539Z",
	"updated_at": "2026-04-10T03:21:46.401534Z",
	"deleted_at": null,
	"sha1_hash": "89f35b7f819bb28f9c8f01f093e414aa970666b2",
	"title": "Babuk Ransomware Variant Delta Plus Used in Live Attacks After Source Code Leaked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 470689,
	"plain_text": "Babuk Ransomware Variant Delta Plus Used in Live Attacks After\r\nSource Code Leaked\r\nArchived: 2026-04-05 15:33:18 UTC\r\nOn September 28th, the ZeroFox Threat Intelligence team discovered a Babuk ransomware variant calling itself\r\nDelta Plus 2.3. The operator behind Delta Plus has recently made use of multiple other ransomware variants under\r\nthe name Delta Plus as well. While no notable changes were made to the Babuk variant aside from modifying the\r\nfile extension, the sample’s build date was just 10 days after the leak, highlighting how low the barrier to entry for\r\nrunning a ransom operation can be when given a complete solution.\r\nBabuk Ransomware Explained\r\nBabuk ransomware was first discovered in early January 2021. In its early days, victim leaks were published on\r\nunderground criminal forums while the group worked to create their website. January to April 2021 saw several\r\norganizations fall victim to the group, including the Metropolitan Police Department of the District of Columbia.\r\nThe attention from attacking the Metropolitan Police Department allegedly caused disagreements within the group\r\nover those who wanted to publish the leak and those who felt it went too far, eventually leading to a retirement\r\nannouncement and split. Payload.bin, a site focused solely on extortion, was launched as a direct result of the\r\nfallout.\r\nBy the end of June, a compiled version of the Babuk ransomware builder had been published online by “biba99,”\r\nthe same account responsible for publishing early victims to underground forums. Finally, on September 2nd, a\r\nuser going by the handle “dyadka0220” published the full source code for the ESXI, NAS and Windows versions\r\nof the ransomware, decryptors and builder application.\r\nFigure 1. Actor dyadka0220 posts a link to Babuk’s source code hosted on a public file sharing\r\nplatform.\r\nSource: ZeroFox Threat Intelligence\r\nBabuk Ransomware Delta Plus Variant\r\nhttps://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/\r\nPage 1 of 7\n\nOn September 28th, the ZeroFox Threat Intelligence team retrieved a malware sample tagged as Babuk\r\nransomware. It matched several publicly available YARA signatures created to detect Babuk, but the sample was\r\nchanging file extensions of encrypted files to “.delta” rather than “.babyk” like the group was known for. Because\r\nof the builder application getting published in June, anyone could generate new “Babuk” payloads with a custom\r\nransom note. Even with this builder, however, the user was stuck with the .babyk file extension unless they\r\nmodified the compiled binaries. \r\nFigure 2. A virtual machine that was encrypted using the Babuk builder-generated payload.\r\nEncrypted files still used the .babyk file extension.\r\nSource: ZeroFox Threat Intelligence\r\nThe second clear difference was the compilation timestamp. When using binaries from the leaked builder, all\r\ngenerated payloads appear to be built on March 23, 2021. The new sample had a compilation date of September\r\n12, 2021.\r\nhttps://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/\r\nPage 2 of 7\n\nFigure 3.  Compilation timestamps of a payload using the builder (top) and Delta Plus (bottom).\r\nSource: ZeroFox Threat Intelligence\r\nLooking at the dropped ransom note, we can see that the actor decided to brand this ransomware as Delta Plus.The\r\nransom demand is significantly smaller than the six and seven figure ransom amounts regularly demanded by the\r\nlarger groups. In this case, the potential victim is demanded to pay $6500 US dollars in Bitcoin. If the victim\r\ncontacts the provided email within 72 hours, the amount is halved to $3250. \r\nhttps://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/\r\nPage 3 of 7\n\nFigure 4. Ransom note dropped by Delta Plus 2.3.\r\nSource: ZeroFox Threat Intelligence\r\nBy following the email address and Bitcoin wallet given in the ransom note, the ZeroFox Threat Intelligence team\r\nwas able to discover more related samples. The actor behind Delta Plus did not appear to be attached to any one\r\nransomware solution, as we discovered binaries compiled from .NET, and Delphi as well, while Babuk is written\r\nin the C programming language. Various notes dropped by these samples had ransom demands from $300 to\r\n$10,500 and mostly stuck to the Delta Plus name, though one sample was referred to as “Doydo.” Multiple email\r\naddresses and Bitcoin wallets were discovered to be in use by this actor.\r\nRecommendations\r\nAs with the identification of any new ransomware variant or digital attack technique, it’s imperative that security\r\nteams have proactive protections in place to detect and respond to cyber attacks. The ZeroFox Threat Intelligence\r\nteam recommends that all security teams:\r\nEnsure antivirus and intrusion detection software is up-to-date with all patches and rule sets\r\nEnable 2-factor authentication for all of your organizational accounts to help mitigate phishing and\r\ncredential stuffing attacks\r\nhttps://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/\r\nPage 4 of 7\n\nMaintain regularly scheduled backup routines, including off-site storage and integrity checks\r\nAvoid opening unsolicited attachments and never click suspicious links\r\nLog and monitor all administrative actions as much as possible. Alert on any suspicious activity\r\nReview network logs for potential signs of compromise and data egress\r\nConclusion\r\nThe actor behind Delta Plus appears to be using various freely available ransomware products with the ability to\r\ndrop custom ransom notes. With freely available ransomware builders and full source code to projects like Babuk\r\navailable for anyone to download, the barrier to entry has been lowered. Skilled and low-skilled actors alike now\r\nhave the ability to repackage ready-made solutions with minimal changes needed.\r\nIndicators of Compromise\r\nHashes\r\nMD5: 093f098e70cc57a17d02323cbe6cd484\r\nSHA-1: 134239f63291d00a604e619ffafb0bf3a05e5a80\r\nSHA-256: ae6020a06d2a95cbe91b439f4433e87d198547dec629ab0900ccfe17e729cff1\r\nMD5: 1dfba6ad901aa33ef1622e980192aa82\r\nSHA-1: 495f1014ff21be916de257775bedbebc5526016e\r\nSHA-256: ca0d9c8e8b2ed05fcf10178e1d194f5e484892dbe59ede4ae9549d27a5c8fd75\r\nMD5: 00d0b2073d8dec2da0dd6a05af2533ec\r\nSHA-1: aeb61462a038e2ee5d52be1bee9af57b0deb7672\r\nSHA-256: 13ccf6c512823f7d30f14d06fd50e00bce8dd03ca331dd5c5d9fee64c340c92d\r\nMD5: 36a16c31c3da7e55ba52c54083d67a3a\r\nSHA-1: ffdbdb2ae899589f7f73a969c5561a1353457e90\r\nSHA-256: 60d1145c0827d5065bc0e99da1d80b041973fc959d9c143ac06eb268e8740d10\r\nMD5: 7540d846032fd69dcf7a863213e8befa\r\nSHA-1: 0cf8025ed457b54a7430f6c604e9f8b6e204087f\r\nSHA-256: a52267dc795a51404cbf2a7e8e7875929783bcc62abd6b7cfd1921c938cf2756\r\nMD5: b647e513448a7ad0aeb214818b7f3acf\r\nSHA-1: d255e18a0dd872edcf0064c11cb99eefcbb798a0\r\nhttps://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/\r\nPage 5 of 7\n\nSHA-256: c9133320766a0b1ccee6a6af10077694fb19b7dda538525749749e26b493f852\r\nMD5: 1dfba6ad901aa33ef1622e980192aa82\r\nSHA-1: 495f1014ff21be916de257775bedbebc5526016e\r\nSHA-256: ca0d9c8e8b2ed05fcf10178e1d194f5e484892dbe59ede4ae9549d27a5c8fd75\r\nMD5: a22ca06bb3a58d4ca2bca856434b96f3\r\nSHA-1: 4a12e232b2442746334ef5d94fab4c3577b33de7\r\nSHA-256: 63b6a51be736d253e26011f19bd16006d7093839b345363ef238eafcfe5e7e85\r\nMD5: b43e8b865d3339eeb8b8b11f900f6c89\r\nSHA-1: 52538e17d4dc85c22f6a01acbbc8caa7447a50b0\r\nSHA-256: 106118444e0a7405c13531f8cd70191f36356581d58789dfc5df3da7ba0f9223\r\nMD5: 3e7ff21d849455dd604af1d48b61ad98\r\nSHA-1: c40904f865e04265c4ed6bcf03622e8822a36d1c\r\nSHA-256: c8d97269690d3b043fd6a47725a61c00b57e3ad8511430a0c6254f32d05f76d6\r\nMD5: 01d8a481d1e98eaed43af57e9c0dd2a4\r\nSHA-1: b90eed3c354307808f0121cfc6207ece3e2068c5\r\nSHA-256: eb180fcc43380b15013d9fe42e658fc6f6c32cf23426ef10b89bc6548d40523b\r\nMD5: c5ef4a503cd7bfc90f966bbb2f910c3e\r\nSHA-1: 4a83e408711713de3163cf160eaf48a60b05b85f\r\nSHA-256: 94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d\r\nMD5: 1f302220fb993a9a219db6dd0558fa71\r\nSHA-1: b52016083e27d7e6a0a96ff3d031aacc2d3d8c8b\r\nSHA-256: c3776649d9c0006caba5e654fa26d3f2c603e14463443ad4a5a08e4cf6a81994\r\nITW Links\r\nhxxp://atualziarsys.serveirc[.]com/Update3/Update.exe.rar\r\nhxxp://atualziarsys.serveirc[.]com/Update4/Update.exe.rar\r\nhxxp://atualziarsys.serveirc[.]com/Update4/Update.exe2.rar\r\nhxxp://services5500.sytes[.]net/Update6/Update.exe.rar\r\nhxxp://suporte01092021.myftp[.]biz/update/WindowsUpdate2.rar\r\nhttps://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/\r\nPage 6 of 7\n\nhxxp://suporte01928492.redirectme[.]net/AppMonitorPlugIn.rar\r\nhxxp://suporte01928492.redirectme[.]net/Update5/Update.exe.rar\r\nhxxp://suporte01928492.redirectme[.]net/Update6/Update.exe.rar\r\nhxxp://suporte01928492.redirectme[.]net/Update7/Update.exe.rar\r\nhxxp://suporte20082021.sytes[.]net/Update3/Update.exe.rar\r\nhxxp://suporte20082021.sytes[.]net/Update5/Update.exe.rar\r\nSource: https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/\r\nhttps://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/"
	],
	"report_names": [
		"babuk-ransomware-variant-delta-plus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434166,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/89f35b7f819bb28f9c8f01f093e414aa970666b2.pdf",
		"text": "https://archive.orkl.eu/89f35b7f819bb28f9c8f01f093e414aa970666b2.txt",
		"img": "https://archive.orkl.eu/89f35b7f819bb28f9c8f01f093e414aa970666b2.jpg"
	}
}