Babuk

Babuk, also known as Babyk and Babuk Locker, is a ransomware operation that surfaced at the beginning of 2021 and targeted businesses in double-extortion attacks. The group became notable for high-profile activity including the April 2021 attack on the Washington, D.C. Metropolitan Police Department, after which stolen data was leaked publicly. Babuk later announced it was retiring from ransomware operations and shifting toward data theft and extortion-only activity, and reporting cited in the content describes Babuk as one of the early adopters of encryption-less extortion. The group used Windows, VMware ESXi, and NAS ransomware tooling. Babuk was one of the early players in ESXi ransomware, and its leaked 2021 builder/source code exposed C++-based Linux ELF ESXi tooling, Golang-based NAS tooling, and C++-based Windows tooling. Subsequent reporting in the content states that this leak enabled many other ransomware families to build Babuk-derived ESXi/Linux lockers, complicating attribution. Tactics and techniques directly mentioned in the content include DLL sideloading using the legitimate NTSD.exe debugger to deliver ransomware, and deletion of shadow copies via vssadmin delete shadows /all /quiet. The content also attributes common Babuk-associated initial access activity to exploitation of VPN and email server vulnerabilities, including Fortinet and ProxyLogon, though some of that reporting is framed through statements by alleged operator Mikhail Matveev. The content links Babuk closely to Russian cybercriminal Mikhail Pavlovich Matveev, also known as Wazawaka, Boriselcin, Orange, Biba99, TetyaSluha, and Uhodiransomwar. Reporting cited here describes Boriselcin as the public-facing persona of the Babuk affiliate program, and Orange/Wazawaka as the administrator who later launched the RAMP cybercrime forum using Babuk infrastructure after internal disputes and the group’s splintering. The content also references Babuk V2 and later Babuk-branded or resurrected/impersonation activity, including Babuk 2.0 and a purported 2025 revival, but also notes that some later Babuk-branded operations were assessed as impersonation or scam activity rather than continuity of the original group. Sub-groups and related entities directly mentioned in the content include Babuk V2, Groove, and RAMP. The content states McAfee assessed Groove as a former affiliate or subgroup of Babuk, and multiple reports describe RAMP as emerging from disputes among Babuk members. The content does not provide high-confidence state attribution for Babuk as a nation-state actor.