DeepWeb Intelligince Feed

Babuk Ransomware, if you Hit and Run do not leave a trace

In April 2021 Babuk ransomware gang has decided to close the affiliate program and move to an extortion model that does not rely on encrypting victim computers (BleppingComputer)


Meanwhile, we found on the deep web an active onion server that related to Babuk Ransomware Group.

On the Server, we saw a weird directory that we start to check, after the scan we were able to see that the website onion is full with Active Chat sessions. In the active session, we can view all conversations between the Babuk ransomware group and the victims. the sessions basically get you inside the “Chat Conversation Page” with all the History chats. that gives us an inside look into the negotiations process.


(Yep, almost all the Nasdaq/Big firms use the same Ransomware negotiators) 


The exposure process was by Brute Forcing long string in the URL onion server that contains 24 Digits, with the TOR speed and the WAF they installed we could get some data but the brute-forcing process takes a lot of time.


For now, we share only two cases that in one of them Babuk asks for 4 million dollars in Bitcoins or 3,5 Million in Monero cryptocracy, after the victim refuse to pay the Babuk gang threats and put the firms under heavy pressure, “It is easier for us to post it and not waste time on you” – “Tell your boss to save this money for numerous lawsuits against the company”.

In the other case that we share u can see the payment method that is 10% of the annual revenue of the victim, “Relying on your annual revenue and the degree of confidentiality of the information we received, the price is 1,000,000 $”

After the ransom payment, the Babuk gang promise to delete all the files from the servers and they give the victim a Report that contains the information on how they got into the network to protect them from future ransomware attacks.

From the onion website, we can say that the next Payload.bin victim will be NexusTek Firm that has 24.4 Million in revenue in 2021.

(UPDATE 5.7.2021 ) – The Next victims

during our investigation, we found three more onion server’s that related to the Payload.bin gang. on the server, we found more  “Active Sessions” that contain the Full History Chat between Payload.bin to the new victims. from the data, we can determine who is the next victim of Payload.bin gang.

From the files, we can tell that Payload.bin runs a public tool like ADRecon to gather information on the victim network. From the ADRecon we can see that Paylaod.bin got access to their network on 26/6/2021.

Also, Payload.bin uploaded a mimikatz DUMP with all the Administrators Users on the Domain Controller.


After the “NexUsTek” hack, we noticed a new active session created on Payload.bin server, this time contain another history chat with another victim in the US “BUTT CONSTRUCTION” (this is the real name) here is the chat history.

Payload.bin uploaded proof that they have the stolen data

There is another firm that ware hacked by Payload.bin that we detect from the data we got but we can’t reveal the name of the firm for now. but we can share the history chat

look what Payload.bin saying about one of the last victims “we posted cdroject red who refused to pay us, and have already lost on this 1 billion dollars, we will also contact our friends in the news, so that they discuss your company and that your data has leaked”.


Soon. more to come…