Babuk2, a ransomware group operating under multiple aliases, targets critical sectors including Government, Healthcare, Finance, and Defense contractors with extortion strategies that often reuse previously leaked data combined with newly harvested information. The group has claimed 83 victims as of March 2025 according to Bitdefender's April 2025 Threat Debrief, though their authenticity is questionable given that many targets overlap with claims from other ransomware groups like RansomHub and Lockbit.

CYBER INSIGHTS CYBER INSIGHTS APR 17, 2025 APR 17, 2025

Overview

Babuk2, a successor to the original Babuk ransomware operation, has reemerged under multiple aliases and continues to operate under a Ransomware-as-a-Service (RaaS) model. The group is known for re-leveraging historical breach data, hosting exposed records on extortion portals and messaging platforms to intimidate victims into compliance. Babuk2 primarily targets critical sectors, including Government, Healthcare, Finance, and Defense contractors. Its re-extortion strategies often rely on recycling previously leaked data, supplemented by newly harvested information from reconnaissance or third-party compromises. While this makes the attribution of recent intrusions more complex, their infrastructure and tactics show consistent alignment with financially motivated state-tolerated ransomware operations.

Recent investigations have revealed that Babuk2, also known as Babuk-Bjorka, frequently reuses data from earlier breaches to support its extortion claims. Considering that RansomHub and Lockbit ransomware have recently targeted and taken claim to many of Babuk2's reported victims, the authenticity of Babuk's claims suggests a strategy focused more on intimidation. Organizations should verify any alleged intrusions independently and consider the possibility that Babuk2's threats may be based on recycled or publicly available data rather than new breaches.

Threat Actor Breakdown

Babuk Ransomware Group (Babuk2, Bkorka, SkyWave)

Emergence Date

Originally surfaced in early 2021 and reemerged under new variants and aliases through 2023–2025.

Attribution

financially motivated RaaS group, Suspected Russian-speaking origins.

Associated Malware

Babuk ransomware, Babuk builder leak derivatives, and affiliated locker payloads.

Targets

Frequently targets Healthcare, Government, IT services, and Defense Contractors across the U.S. and Europe.

Common Tactics

Uses extortion-based leaks, stolen credentials, and phishing to stage opportunistic or follow-up attacks.

Recent Activities

In March 2025, Babuk2 claimed 83 victims, according to Bitdefender's April 2025 Threat Debrief. The group is noted for leaking victim data rather than deploying ransomware and has a history of revictimization by taking credit for victims claimed by other ransomware groups.

Tactics, Techniques, and Procedures (TTPs)

  • Initial Access: Use of phishing emails, social engineering, or exploitation of unpatched public-facing infrastructure.
  • Execution: Deployment of payloads post-access using frameworks like Cobalt Strike or proprietary loaders.
  • Persistence: Registry modification, scheduled tasks, or credential stuffing to retain long-term access.
  • Evasion: Disabling endpoint defenses, wiping event logs, and using encrypted communication.
  • Exfiltration & Impact: Data staging for extortion, encryption of files, and use of multi-extortion tactics (publishing sensitive data when the ransom is unpaid).

Recommendations

  • Enhance Email Security Monitoring: Enable advanced filtering and DMARC enforcement to reduce spoofing risk tied to exposed executive identities.
  • Phishing Campaign Detection: Proactively monitor user-reported emails and SMS phishing trends to detect evolving lures referencing exposed data.
  • Audit External Exposure: Reassess what publicly accessible assets may reveal sensitive company information. Sanitize unnecessary exposure.
  • Executive Protection Measures: Apply targeted protections to high-value personnel, including identity monitoring, two-factor authentication, and restricted access policies.
  • Incident Response Preparation: Conduct tabletop exercises involving threat actor-leaked data and simulate extortion attempts to ensure readiness.

Hunter Insights

Based on an analysis of Babuk2's recent activities and patterns, this threat actor likely represents a sophisticated criminal opportunism rather than a genuine ransomware operation. Despite claims of conducting numerous successful attacks in early 2025, evidence indicates no new ransomware encryption or network intrusions from this group. Other ransomware groups, including RansomHub, FunkSec, LockBit, and Meow, previously claimed that most victims were listed on their data leak sites. Looking ahead, Babuk2 will likely continue this deceptive strategy throughout 2025, potentially evolving toward more sophisticated social engineering techniques targeting executive personnel with fabricated breach evidence to extract payments without actual network compromise. Organizations should implement rigorous verification protocols for alleged breaches and focus security resources on monitoring for genuine emerging threats rather than responding to Babuk2's increasingly transparent extortion attempts.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.