{
	"id": "76e4a9ac-a970-4c45-be99-7e7010c452e3",
	"created_at": "2026-04-06T00:12:18.275261Z",
	"updated_at": "2026-04-10T03:21:01.705707Z",
	"deleted_at": null,
	"sha1_hash": "9d9fcc4fa1a73983bf5f0abe4fc4f0e5af128738",
	"title": "Builder for Babuk Locker ransomware leaked online",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 418907,
	"plain_text": "Builder for Babuk Locker ransomware leaked online\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-17 · Archived: 2026-04-05 17:14:06 UTC\r\nThe builder for the Babuk Locker ransomware was leaked online this week, allowing easy access to an advanced\r\nransomware strain to any would-be criminal group looking to get into the ransomware scene with little to no\r\ndevelopment effort.\r\nAccording to a copy of the leak, obtained and tested by The Record, the Babuk Locker \"builder\" can be used to\r\ncreate custom versions of the Babuk Locker ransomware that can be used to encrypt files hosted on Windows\r\nsystems, ARM-based network storage attached (NAS) devices, and VMWare ESXi servers.\r\nFurther, for every Babuk encrypter generated through the app, the builder also generates decrypters that can be\r\nused to recover the encrypted files from each victim.\r\nThe leak of the Babuk Locker builder comes two months after the Babuk Locker ransomware gang announced\r\nthat it was retiring from ransomware operations after a high-profile attack on the Washington, DC police\r\nhttps://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/\r\nPage 1 of 3\n\ndepartment in late April.\r\nThe gang is believed to have followed through on its retirement plans in late May when it rebranded its\r\nransomware leak site into Payload.bin and started operating as a third-patry host for other ransomware gangs that\r\nwanted to leak files from victims but did not want to operate their own leak site.\r\nAt the time of writing, it is unclear if the Babuk gang tried to sell their ransomware builder to a third party in a\r\ntransaction that went bad, or if the builder was leaked by a rival or a white-hat security researcher.\r\nBut whatever happened behind the scenes, the gang's builder leaked online earlier this week when it\r\nwas uploaded on the VirusTotal malware scanning portal.\r\nThe file was discovered earlier today by British security researcher Kevin Beaumont, who shared a copy with The\r\nRecord for reporting purposes.\r\nThe Babuk builder leak also comes two weeks after the source code of the Paradise ransomware builder was also\r\nshared on a public hacking forum.\r\nWhile the two incidents are believed to be unrelated, both are a cause of concern for cybersecurity experts, who\r\nbelieve low-effort cybercrime gangs will now adopt the two tools for future, and potentially very clumsy\r\n(destructive) attacks.\r\n\"Hopefully this can be used to drive research on detection and decryption,\" Beaumont said earlier today in a tweet.\r\nA good starting point to improving detection would be to understand how the Babuk strain works, a process that\r\nwas detailed in great technical depth in this 73-page Capgemini report [PDF].\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/\r\nhttps://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/"
	],
	"report_names": [
		"builder-for-babuk-locker-ransomware-leaked-online"
	],
	"threat_actors": [],
	"ts_created_at": 1775434338,
	"ts_updated_at": 1775791261,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d9fcc4fa1a73983bf5f0abe4fc4f0e5af128738.pdf",
		"text": "https://archive.orkl.eu/9d9fcc4fa1a73983bf5f0abe4fc4f0e5af128738.txt",
		"img": "https://archive.orkl.eu/9d9fcc4fa1a73983bf5f0abe4fc4f0e5af128738.jpg"
	}
}