{
	"id": "61249e7a-495b-4cae-912a-a64f7b355d37",
	"created_at": "2026-04-06T00:18:42.135427Z",
	"updated_at": "2026-04-10T03:20:50.158281Z",
	"deleted_at": null,
	"sha1_hash": "a8fb151f60d6b088cdaba1c4ff2c65243a9d6a81",
	"title": "Babuk Locker is the first new enterprise ransomware of 2021",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4316549,
	"plain_text": "Babuk Locker is the first new enterprise ransomware of 2021\r\nBy Lawrence Abrams\r\nPublished: 2021-01-05 · Archived: 2026-04-05 19:28:00 UTC\r\nIt's a new year, and with it comes a new ransomware called Babuk Locker that targets corporate victims in human-operated\r\nattacks.\r\nBabuk Locker is a new ransomware operation that launched at the beginning of 2021 and has since amassed a small list of\r\nvictims from around the world.\r\nFrom ransom negotiations with victims seen by BleepingComputer, demands range from $60,000 to $85,000 in Bitcoin.\r\nhttps://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nHow the Babuk Locker encrypts devices\r\nEach Babuk Locker executables analyzed by BleepingComputer has been customized on a per-victim basis to contain a\r\nhardcoded extension, ransom note, and a Tor victim URL.\r\nAccording to security researcher Chuong Dong who also analyzed the new ransomware, Babuk Locker's coding is\r\namateurish but includes secure encryption that prevents victims from recovering their files for free.\r\n\"Despite the amateur coding practices used, its strong encryption scheme that utilizes Elliptic-curve Diffie–Hellman\r\nalgorithm has proven effective in attacking a lot of companies so far,\" Dong stated in his report.\r\nWhen launched, the threat actors can use a command-line argument to control how the ransomware should encrypt network\r\nshares and whether they should be encrypted before the local file system. The command-line arguments that control this\r\nbehavior are listed below:\r\n-lanfirst\r\n-lansecond\r\n-nolan\r\nOnce launched, the ransomware will terminate various Windows services and processes known to keep files open and\r\nprevent encryption. The terminated programs include database servers, mail servers, backup software, mail clients, and web\r\nbrowsers.\r\nWhen encrypting files, Babuk Locker will use a hardcoded extension and append it to each encrypted file, as shown below.\r\nThe current hardcoded extension used for all victims so far is .__NIST_K571__.\r\nBabuk Locker encrypted files\r\nSource: BleepingComputer\r\nA ransom note named How To Restore Your Files.txt will be created in each folder. This ransom note contains basic\r\ninformation on what happened during the attack and a link to a Tor site where the victim can negotiate with the ransomware\r\noperators.\r\nhttps://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/\r\nPage 3 of 6\n\nOne of the ransom notes seen by BleepingComputer contains the victim's name and links to images proving that the threat\r\nactors stole unencrypted files during the attack.\r\nBabuk Locker ransom note\r\nSource: BleepingComputer\r\nThe Babuk Locker Tor site is nothing fancy and simply contains a chat screen where the victim can talk to the threat actors\r\nand negotiate a ransom. As part of the negotiation process, the ransomware operators ask their victims if they have cyber\r\ninsurance and are working with  a ransomware recovery company.\r\nBabuk Locker Tor chat with a victim\r\nSource: BleepingComputer\r\nThe ransomware operators will also ask victims for the %AppData%\\ecdh_pub_k.bin file, which contains the victims'\r\npublic ECDH key that allows the threat actors to perform test decryption of victim's files or provide a decryptor.\r\nhttps://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/\r\nPage 4 of 6\n\nUnfortunately, Dong says that the ransomware's use of ChaCha8 and Elliptic-curve Diffie–Hellman (ECDH) makes the\r\nransomware secure and not decryptable for free.\r\nUses hacker forum to leak stolen data\r\nA common ransomware tactic is to steal unencrypted data from a victim before encrypting the network's devices. The threat\r\nactors use the stolen data in a double-extortion strategy, where they threaten to leak the data if a ransom is not paid.\r\nMost ransomware operations that utilize this tactic have created public ransomware data leak sites to publish stolen data.\r\nHowever, Babuk Locker is currently using a hacker forum to leak their stolen data. Babuk Locker currently has five known\r\nvictims from around the world, including:\r\nAn elevator and escalator company\r\nAn office furniture manufacturer\r\nA car parts manufacturer\r\nA medical testing products manufacturer\r\nAn air conditioning and heating company in the USA\r\nAt least one of the victims has agreed to pay the ransom, which was for $85,000.\r\nIn a post to the hacker forum, the Babuk Locker representative states that they will soon launch a dedicated leak site.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/\r\nPage 5 of 6\n\nSource: https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/\r\nhttps://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/babuk-locker-is-the-first-new-enterprise-ransomware-of-2021/"
	],
	"report_names": [
		"babuk-locker-is-the-first-new-enterprise-ransomware-of-2021"
	],
	"threat_actors": [],
	"ts_created_at": 1775434722,
	"ts_updated_at": 1775791250,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8fb151f60d6b088cdaba1c4ff2c65243a9d6a81.pdf",
		"text": "https://archive.orkl.eu/a8fb151f60d6b088cdaba1c4ff2c65243a9d6a81.txt",
		"img": "https://archive.orkl.eu/a8fb151f60d6b088cdaba1c4ff2c65243a9d6a81.jpg"
	}
}