Babuk ransomware decryptor released to recover files for free
Czech cybersecurity software company Avast has created and released a decryption tool to help victims of Babuk ransomware recover their files for free.
According to Avast Threat Labs, Babuk decryptor was created using leaked source code and decryption keys.
The free decryptor can be used by Babuk victims who have had their files encrypted using the following extensions: .babuk, .babyk, .doydo.
Victims of Babuk ransomware can download the decryption tool from Avast servers and decrypt entire partitions at once using the instructions displayed in the decryptor user interface.
Based on BleepingComputer’s testing, this decryptor will likely only work for victims whose keys were leaked as part of Babuk’s source code dump.
Ransomware and decryption key leaks
The full source code of the Babuk gang ransomware was leaked on a Russian-speaking hacking forum last month by a threat actor claiming to be a member of the ransomware group.
The decision to disclose the code was prompted by the alleged Babuk member by his terminal cancer. He said in his leaked post that he decided to release the source code when they had to “live like a human”.
The shared archive contained various Visual Studio Babuk ransomware projects for VMware ESXi, NAS, and Windows encryptors, the Windows folder containing the full source code for the encryptor, Windows decryptor, and what looked like private and public key generators.
The leak also included encryptors and decryptors compiled for specific victims of the ransomware gang.
After the leak, Emsisoft CTO and ransomware expert Fabien Ousar told BleepingComputer that the source code is legitimate and the archive may also contain decryption keys for old victims.
Babuk’s troubled story
Babuk Locker, also known as Babyk and Babuk, is a ransomware operation that started in early 2021 when it began targeting businesses to steal and encrypt their data in double-extortion attacks.
After their attack on the Metropolitan Police Department (MPD) in Washington DC, they landed in the crosshairs of US law enforcement and claimed to have shut down operations after starting to feel the heat.
After the attack, the gang’s “administrator” reportedly wanted to disclose the stolen MPD data online for advertising purposes, while the other members opposed it.
Following this, the Babuk members went their separate ways, with the original administrator starting the Ramp cybercrime forum and the others releasing ransomware as Babuk V2, continuing to target and encrypt victims ever since.
Right after the launch of the Ramp Cybercrime Forum, it was the target of a series of DDoS attacks which ultimately rendered the site unusable.
While Babuk’s administrator blamed his former partners for the third incident, the Babuk V2 team told BleepingComputer that they were not behind the attacks.