2021’s First Big Ransomware Gang Launches Sleek and Bigoted “Leak” Site

2021’s First Big Ransomware Gang Launches Sleek and Bigoted “Leak” Site
Screenshot: Lucas Ropek

Every year sees a number of new ransomware gangs emerge and take a swing at becoming the most prolific operators in the digital underworld. Well, 2021 officially has its first new high-profile ransomware operation and they are definitely arseholes.

The group behind Babyk Locker ransomware, a malware that has been heralded as the first new “enterprise ransomware” of 2021, recently launched its first data leak site — a forum where hackers post and publicise data stolen from their victims if the victims refuse to pay them. The group, which surfaced a few weeks ago, has been dubbed a “Big Game Hunter” for its strategy of targeting large institutions for bigger payouts. It has already struck a number of big entities — apparently compromising a car parts manufacturer, a U.S.-based heating firm, and an elevator company, among others.

Interestingly, the group has made it known that, in addition to being criminals, they are also homophobic and racist.

Emsisoft threat researcher Brett Callow shared Babyk’s new site with us and we noticed some unusual language. On the site, the group has listed some parameters for its operations — outlining a kind of “hacker’s code” regarding which entities they will and will not attack. On the list, the group notes that it supports small businesses (they promise to only attack firms that make more than $US4 ($5) million annually), they support education (they won’t attack schools “except the major universities”), and they say they will stop short of attacking hospitals (except apparently “private plastic surgery clinics” and some dentists’ offices). So far they sound like real hackers of the people.

Screenshot: Lucas Ropek Screenshot: Lucas Ropek

However, the group’s “code” takes somewhat of a dark turn when they discuss their views on attacking charities: Babyk says they don’t like to attack non-profits or charities, but they will make an exception when it comes to groups that “help LGBT and BLM” (Black Lives Matter).

In addition to this, the group seems to have a somewhat warped sense of humour: In Babyk’s “About Us” section on its site, the group maintains that they are “not criminals,” merely security-minded individuals who look to test corporate security systems and ask for a fee in return. Audaciously, the group calls their cyberattacks “audits.”

“In our understanding – we are some kind of a cyberpunks [sic], we randomly test corporate networks security and in case of penetration, we ask money, and publish the information about threats and vulnerabilities we found, in our blog if company doesn’t want to pay,” the site reads.

In just several weeks, Babyk has managed to make quite a splash. Before the launch of their new site, Babyk posted large data dumps on the popular dark web site Raid Forums. Callow told Gizmodo that the group was also responsible for a recent cyberattack on Serco, a multinational outsourcing firm that has been involved in Covid-19 track and trace efforts. The firm’s track and trace operation is said to have been unaffected by the attack.

“This is probably the first new big game-hunting ransomware of 2021. New ransomware pops up all the time,” said Callow. “Lots of them are skid-created and amateurish though. Groups/ransomware that have abilities to successfully target large enterprise – the big game hunters – are a little more unusual.”