Skip to content
Babuk2 Ransomware
Under attack by ransomware or suffering a cyber breach?
Speed is critical when facing a live cyber attack. If you believe you’ve been compromised, by the Babuk2 ransomware group or another threat actor - contact us immediately.
About Babuk2 ransomware group
Babuk2 ransomware is a recently emerged threat, first detected in early 2024. While this group claims links to the original Babuk ransomware group (known for a series of high-profile ransomware attacks and leaking their source code on the dark web), researchers and the original operators have denied any true connection.
Instead, Babuk2 appears to be a loosely organised or opportunistic threat group that exploits the Babuk name to intimidate and pressure organisations. The behaviour of Babuk2 actors is often chaotic and inconsistent, and many of the group’s claims about successful data breaches lack technical validation. Analysts suggest Babuk2 may operate more as a scam or “copycat” outfit than a truly sophisticated ransomware operation. Many of their campaigns involve unsophisticated threat actors repurposing old, recycled data and making false claims on data leak sites.
What we can help with:
- Encrypted files & ransomware data recovery
- Incident response and containment
- Secure data restoration and system recovery
- Use of ransomware decryption tools and data recovery software
- Development of incident response plans and disaster recovery solutions
- Post-incident reviews and security hardening
Request a call back
If your organisation has been infected with ransomware contact us immediately.
How Babuk2 operators work
Babuk2 relies on a classic double extortion model:
Initial access is gained through phishing, exploiting unpatched vulnerabilities, or compromised credentials, leading to fresh network intrusions across multiple sectors.
The group first exfiltrates sensitive data to external servers for data theft.
They then use robust encryption methods (often elliptic-curve cryptography) to lock encrypted files, appending the .babuke2 extension.
Victims receive a ransom note with instructions to negotiate on a dark web site.
If payment is refused, the ransomware group threatens to publish or leak breached data, sample data, or previously leaked data on their data leak site.
The threat actors behind Babuk2 have conducted multiple attacks and often pressure organisations by posting victim posts and alleged intrusion details online. They regularly make false claims about the volume and sensitivity of the stolen data to create panic and coerce payment.
We are equipped to deal with an attack from any ransomware group.
Don’t hesitate to contact us if you are under attack from a ransomware group not listed above.
Recognising a Babuk2 attack
Babuk2 first appeared in early 2024 and quickly became active across Europe and North America, targeting corporate networks, government agencies, and industrial suppliers. The group has claimed around 180 attacks to date.
Babuk2 is known for using a double extortion model, demanding payment both to decrypt data and to prevent stolen information from being leaked publicly. Victims often face added pressure from the group’s aggressive tactics, including posting data on leak sites and recycling previously breached or leaked files to appear more threatening.
Common signs of a Babuk2 attack include sudden file encryption, ransom notes referencing Babuk2, and threats of data exposure. The group may also reuse elements from earlier Babuk campaigns to boost credibility. Any organisation handling sensitive data and lacking strong cyber defences should treat these indicators seriously, as Babuk2 remains an active and persistent threat.
Why you must not interfere with your ransomware environment
If you discover a physical break-in at your offices, your first instinct would be to call the police; touch nothing and let them search for clues. Then, your focus would shift to restoring business operations.
A cyber-attack requires the same approach. Your digital environment is a CRIME SCENE. It is crucial to leave the environment untouched to allow for a forensic investigation.
This is not a task for your IT team or MSP. Digital Forensic specialists are available 24/7 to assist you, just like in a physical crime.
Known threat actors
Ransomware groups behind the attacks
Below is a breakdown of the most active ransomware groups and the variants driving their attacks.
Post breach actions
-
Call a NCSC Cyber Incident Response approved supplier Some NCSC providers will fund up to 48 hours of investigation into your incident.
-
Report the incident to Report Fraud
-
Locate your business continuity plan Work out what you can do without access to your systems and data.
-
Identify your business insurance contact details
Who are we and what experience do we have in responding to cyber incidents?
We are accredited to ISO 27001 and recognised by the UK’s National Cyber Security Centre (NCSC).
We provide comprehensive cyber risk management services, with a core focus on Digital Forensics and Incident Response (DFIR). Our capabilities are driven by a 24/7 Security Operations Centre and a dedicated in-house intelligence team that delivers timely, actionable threat reporting.
With decades of collective cyber security experience, we have the expertise to assume operational ownership of your entire IT security architecture – simplifying and strengthening cyber security across your business.
As an Assured Service Provider for Cyber Incident Response (CIR) at the Standard Level. This accreditation demonstrates our ability to deliver high-assurance, effective support in response to a wide range of cyber threats.
Your NCSC-approved supplier is a specialist crime scene investigator who will:
- Isolate and preserve your environment for forensic investigation.
- Identify where the data has been duplicated and issue a legal takedown order.
- Identify your data, application and systems restore points. These might be at different points in time and will need to be carefully restored and reconstructed in a pristine environment.
- Liaise with your business insurance company and if needed, with the Police.
- Advise you on notifying your customers of your situation.
- Rebuild your systems, restore your data and get you back to full operation. Note: This process can take between 2 weeks – 2 months.
Working with us
Our response process
Our team are ransomware recovery specialists with a proven, streamlined approach to resolving incidents quickly and effectively.
Step 1: Triage
We deploy our incident response team the same day. From the first call, we begin onboarding, introduce key stakeholders, set communication schedules, and start gathering critical information to guide the response.
Step 2: Investigation
DFIR (Digital Forensic Incident Response) teams investigate breaches to identify vulnerabilities, attack vectors, and system impacts from ransomware such as Data Loss (PII). We deliver clear forensic insights to guide mitigation.
Step 3: Contain
Our onsite and remote teams act fast to stop the attack in its tracks. That includes isolating affected systems, removing malicious code, and putting protections in place to prevent further spread or damage.
Step 4: Remediate & Eradicate
Once contained, we work to fully eliminate the threat. This includes fixing exploited vulnerabilities, restoring systems to a secure state, and ensuring no traces of the attack remain.
Step 5: Recover
Our incident response teams help get your business back to normal. We restore access to systems, recover data, and ensure services are safe, stable, and functioning, with minimal downtime.
Step 6: Post Incident
We conduct a full review of the incident response and recovery efforts. Together we assess what happened, what worked, and what can be improved, helping you build stronger defences for the future.
Forensic analysis to drive recovery
Our process includes a thorough digital forensic analysis from step two where the output becomes a central component of business recovery. This is because understanding the attack is of critical importance:
Informing an initial infection date
The extent and spread of infection
Data exfiltration having an impact on regulatory positions
Ensuring that the attacker and any tooling or artefacts they leave behind are eradicated
It is critical that the analysis of digital evidence is carried out to an agreed plan.
Maximising early root cause discovery and legal leverage
The process is purpose-built to uncover the root cause as early as possible, which is essential to inform remediation / eradication and recovery as well as supporting a legal take-down case if this is applicable. A legal take-down means we can assist in the legal enforcement that stops the criminals from publishing the data, thus undermining the ransom notice.
Our Digital Forensic and Incident Response (DFIR) teams maintain consistent communication throughout. Dedicated Incident Managers and technical engineering leads provide updates during the Cyber Incident Response journey, utilising risk registers and working within change management processes, all from triage through to post-incident, delivering successful business recovery.
Key take aways
- You will not be able to access your systems or data.
- It is advised to disconnect from the internet and shut down your systems, including PCs, to prevent further infections.
- Your Office 365 system might also be compromised, allowing the attackers to monitor your responses. Avoid communicating with individuals through your primary email or team systems.
- Threat actors typically infiltrate your system at least 2-4 weeks before you become aware of the attack. Your data will have already been exfiltrated. If your system is encrypted, this was not an overnight event.
- Ransom demands in the UK typically range from £500,000 to £3 million, with some sectors, like education, facing demands that exceed £5 million
- Paying the ransom may violate financial sanctions, which is a criminal offence and could result in a custodial sentence or further financial penalties.
- If your data is sold or published online, it puts your customers and staff at risk, potentially implicating you in a Data Protection breach.
- You will need to submit a data takedown request to the initial location where the data was transferred.
- Do not overwrite the encrypted data. It is crucial to determine when the infection began and where the data was sent.
- Avoid rebuilding from the latest backup, as it is likely to be infected.
Why should I trust Zensec to do this work rather than my IT team?
A forensic analysis needs to be meticulous and a clean restore and recovery requires a wealth of experience not normally available in an in-house team who must provide a broader range of IT support skills:
Internal IT teams don’t have the necessary skill set to resolve security encryption issues themselves.
IT teams may recover to the same position with indicators of compromise ready to do it again… which can lead to another breach.
Internal teams are pressured to restore business operations and may recover before forensic analysis even begins, potentially destroying the crime scene before completion.
We can help
Frequently asked questions
Key information when you’re under pressure.
Babuk2 appears to be a different threat group from the original Babuk, though they use the Babuk name and some of the same ransomware strains and tactics. Many of their group’s claims are exaggerated or based on recycled data, and there is little evidence of direct ties between Babuk2 and the original Babuk operators.
Babuk2 and other ransomware groups gain initial access through phishing, unpatched vulnerabilities, and weak passwords. They often use previously leaked data to identify new targets. Prevent future attacks by:
Applying all software patches and updates promptly.
Enforcing strong, unique passwords and multi-factor authentication.
Training staff to spot phishing attempts.
Regularly reviewing access controls and removing unnecessary accounts.
Engaging with a threat intelligence partner like Zensec for ongoing monitoring.
Payment to Babuk2 or other ransomware groups is never guaranteed to solve the problem. Babuk2 actors are known for false claims and publishing previously leaked data regardless of payment. In the UK, paying ransoms may violate financial sanctions, see the latest sanctions list. Instead, rely on a professional incident response for recovery.
The NCSC is the UK National Cyber Security Centre. They provide cyber security guidance and support, helping to make the UK the safest place to live and work online. They have defined a Cyber Incident Response procedure and they have approved and accredited suppliers to provide this service.
As a recognised Assured Service Provider by the National Cyber Security Centre (NCSC), Zensec provide comprehensive cyber risk management services that are designed to Protect, Detect & Mitigate cyber security threats across the UK.
Report Fraud is the UK's national reporting centre for fraud and cybercrime. Whether you have been scammed, defrauded, or experienced cybercrime in England, Wales, or Northern Ireland, Report Fraud offers a central point of contact for information on fraud and financially motivated cybercrime.
https://www.reportfraud.police.uk/https://www.actionfraud.police.uk/
Yes. If sensitive data or personal data is stolen, you may need to inform customers, regulators, and law enforcement agencies, including Action Fraud. Zensec will advise you through all mandatory and recommended notifications.
Ransomware attacks by Babuk2 and other ransomware groups cause operational downtime, data loss, reputational harm, and legal risk. The effect on your business depends on the speed and quality of your response, the nature of the breached data, and how well you communicate with stakeholders. Zensec helps you recover securely and strengthens your defences for the future.
Dealing with a ransomware attack?
Our ransomware recovery service can help
Our expert team works quickly to contain the breach, recover your data, and restore your systems to full operation. We’ll guide you through every step of the recovery process and help strengthen your defences to prevent future attacks. Regain control with Zensec - trusted support when it matters most.