{
	"id": "85d218d3-7202-4022-9f8f-19812891dc46",
	"created_at": "2026-04-06T00:10:48.427797Z",
	"updated_at": "2026-04-10T03:21:14.788124Z",
	"deleted_at": null,
	"sha1_hash": "9d1e9166a17409948b5181fe35789a2c482afbf1",
	"title": "Babuk ransomware's full source code leaked on hacker forum",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3216260,
	"plain_text": "Babuk ransomware's full source code leaked on hacker forum\r\nBy Lawrence Abrams\r\nPublished: 2021-09-03 · Archived: 2026-04-05 15:36:54 UTC\r\nA threat actor has leaked the complete source code for the Babuk ransomware on a Russian-speaking hacking forum.\r\nBabuk Locker, also known internally as Babyk, is a ransomware operation launched at the beginning of 2021 when it began\r\ntargeting businesses to steal and encrypt their data in double-extortion attacks.\r\nAfter attacking the Washinton DC's Metropolitan Police Department (MPD) and feeling the heat from U.S. law enforcement,\r\nthe ransomware gang claimed to have shut down their operation.\r\nhttps://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/\r\nPage 1 of 7\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/\r\nPage 2 of 7\n\nVisit Advertiser websiteGO TO PAGE\r\nHowever, members of the same group splintered off to relaunch the ransomware as Babuk V2, where they continue to\r\nencrypt victims to this day.\r\nSource code released on a hacking forum\r\nAs first noticed by security research group vx-underground, an alleged member of the Babuk group released the full source\r\ncode for their ransomware on a popular Russian-speaking hacking forum.\r\nThis member claimed to be suffering from terminal cancer and decided to release the source code while they have to \"live\r\nlike a human.\"\r\nA translated forum post on a hacking forum\r\nOriginal post in Russian\r\nAs the leak contains everything a threat actor needs to create a functional ransomware executable, BleepingComputer has\r\nredacted the links to the source code.\r\nThe shared file contains different Visual Studio Babuk ransomware projects for VMware ESXi, NAS, and Windows\r\nencryptors, as shown below.\r\nhttps://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/\r\nPage 3 of 7\n\nESXi, NAS, and Windows Babuk ransomware source code\r\nThe Windows folder contains the complete source code for the Windows encryptor, decryptor, and what appears to be a\r\nprivate and public key generator.\r\nBabuk Windows encryptor source code\r\nFor example, the source code for the encryption routine in the Windows encryptor can be seen  below.\r\nBabuk encryption routine source code\r\nhttps://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/\r\nPage 4 of 7\n\nEmsisoft CTO and ransomware expert Fabian Wosar and researchres from McAfee Enterprise have both told\r\nBleepingComputer that the leak appears legitimate. Wosar also stated that the leak may contain decryption keys for past\r\nvictims.\r\nBabuk ransomware uses elliptic-curve cryptography (ECC) as part of its encryption routine. Included in the leak are folders\r\ncontaining encryptors and decryptors compiled for specific victims of the ransomware gang.\r\nWosar told BleepingComputer that these folders also contain curve files that could be the ECC decryption keys for these\r\nvictims, but this has not been confirmed yet.\r\nECC curve file for Babuk victim\r\nIn total, there are 15 folders with curve files containing possible decryption keys.\r\nOf tales of betrayal and backstabbing\r\nBabuk Locker has a sordid and public history involving betrayal and backstabbing that led to the group splintering.\r\nBleepingComputer has learned from one of the Babuk ransomware gang members that the group splintered after the attack\r\non the Washinton DC's Metropolitan Police Department (MPD).\r\nAfter the attack, the 'Admin' allegedly wanted to leak the MPD data for publicity, while the other gang members were\r\nagainst it. \r\n\"We're not good guys, but even for us it was too much. )\" - Babuk threat actor\r\nAfter the data leak, the group splintered with the original Admin forming the Ramp cybercrime forum and the rest launching\r\nBabuk V2, where they continue to perform ransomware attacks.\r\nSoon after the Admin launched the Ramp cybercrime forum, it suffered a series of DDoS attacks to make the new site\r\nunusable. The Admin blamed his former partners for these attacks, while the Babuk V2 team told BleepingComputer that\r\nthey were not responsible.\r\n\"We completely forgot about the old Admin. We are not interested in his forum,\" the threat actors told BleepingComputer.\r\nTo add to the group's controversy, a Babuk ransomware builder was leaked on a file-sharing site and was used by another\r\ngroup to launch their own ransomware operation.\r\nIt appears that Babuk is not alone with stories of backstabbing and betrayals.\r\nAfter Wosar setup up a Jabber account for threat actors to contact him, he tweeted that he has received intel from threat\r\nactors who feel \"wronged\" by their partners and decided to leak information in revenge.\r\nhttps://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/\r\nPage 5 of 7\n\nWosar has told BleepingComputer that he has been able to use this intelligence to prevent ongoing ransomware attacks.\r\nUpdate 9/3/21: McAfee Enterprise also confirmed that the source code is legitimate.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/\r\nPage 6 of 7\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/\r\nhttps://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/babuk-ransomwares-full-source-code-leaked-on-hacker-forum/"
	],
	"report_names": [
		"babuk-ransomwares-full-source-code-leaked-on-hacker-forum"
	],
	"threat_actors": [],
	"ts_created_at": 1775434248,
	"ts_updated_at": 1775791274,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d1e9166a17409948b5181fe35789a2c482afbf1.pdf",
		"text": "https://archive.orkl.eu/9d1e9166a17409948b5181fe35789a2c482afbf1.txt",
		"img": "https://archive.orkl.eu/9d1e9166a17409948b5181fe35789a2c482afbf1.jpg"
	}
}