Ransomware attacks, specifically the so-called Babuk Locker 2.0, have resurfaced in 2025, attributed to groups named Skywave and Bjorka. Investigations reveal that Babuk Locker 2.0 is essentially a rebranding of LockBit 3.0, utilizing similar techniques and targeting high-profile organizations across various sectors. Affected: organizations, government agencies, cybercriminal sectors
Keypoints :
- Ransomware threat persists, causing significant organizational disruption.
- Babuk Locker originally shut down in 2021, now appears to be revived under the name Babuk Locker 2.0.
- Key groups involved in the resurgence are Skywave and Bjorka.
- Analyses suggest the new strain is merely a rebranding of LockBit 3.0.
- Victims include high-profile entities like Amazon and government institutions.
- Evidence of overlapping victims with other ransomware groups suggests possible collaboration or opportunism among threat actors.
MITRE Techniques :
- T1484: Group Policy Modification – Disabling key security and backup services to maximize ransomware impact.
- T1499: Endpoint Denial of Service – Terminating various applications and system processes to prevent recovery attempts.
- T1068: Exploitation for Client Execution – Use of compromised Autonomous Proxy for Active Directory enumeration.
- T1027: Obfuscated Files or Information – Implementation of API harvesting to evade detection.
Indicator of Compromise :
- [Domain] 7dikawx73goypgfi4zyo5fcajxwb7agemmiwqax3p54aey4dwobcvcyd.onion
- [Domain] imblth46g3x5oo444wkjn7umj4g26tnhmrlo53ovfqmmkmughdw4j2ad.onion
- [Domain] bxwu33iefqfc3rxigynn3ghvq4gdw3gxgxna5m4aa3o4vscdeeqhiqad.onion
- [Email Address] babuklockerofficial@onionmail.org
- [Tox ID] 022A7EEB83B648F55DA7A6BEFD130C2156C74F3501A31D853234EC2D18E77A1E5BEC7F60201
Full Story: https://blog.rapid7.com/2025/04/02/a-rebirth-of-a-cursed-existence-the-babuk-locker-2-0/