Babuk – the allegedly Russian-speaking ransomware gang targeting D.C.’s Metropolitan Police Department – posted on the dark web a message that it was shutting down, only to reverse course and pull the message from the site. (Alex Smith/CC0 1.0)

Babuk – the allegedly Russian-speaking ransomware gang targeting D.C.’s Metropolitan Police Department – posted on the dark web a message that it was shutting down, only to reverse course and pull the message from the site.

The D.C. Police Department case broke earlier this week, with reports that Babuk had infiltrated the department’s networks and threatened to make public confidential information, including names of suspected gang member informants and intelligence from crime briefings.

Security experts posted screengrabs on Twitter earlier today of the note by Babuk:

“We are happy to inform you that PD was our last goal, only now they determine whether the leak will be or not, in any case regardless of the outcome of events with PD, the Babuk project will be closed, its source codes will be made publicly available, we will do something like Open Source RaaS, everyone can make their own product based on our product and finish with the rest of the RaaS.”

SC Media touched based with security experts today to get their take on this move by Babuk. Were they spooked by the attention and decide they were in too deep? Would they do what Maze did late last year, and shut down only to resurface as Egregor? Or were they just looking to confuse authorities?

Stefano De Blasi, threat researcher at Digital Shadows, said Babuk’s move comes as a surprise in a historical moment where ransomware groups are getting increasingly bold. De Blasi said Babuk’s operators likely declared their retirement from the ransomware business because the attack against the D.C. Police raised too much attention both from the media and – most importantly – from law enforcement. He said in the past few months, Digital Shadows observed other ransomware actors – such as the Ziggy ransomware team – shutting down their operations in a pre-emptive manner to avoid serious law enforcement actions.

At the same time, Babuk’s operators might have realized that it was highly unlikely that they would get the requested ransom from an American law enforcement agency.

“Another point worth noting is that ransomware groups, and cybercriminals in general, are not new to claiming something and then acting in the opposite way,” De Blasi said. “For example, when the COVID pandemic hit in early 2020, several ransomware groups came out alleging ‘ethical’ intentions, such as avoiding targeting the health and education sectors. We didn’t have to wait long before we’ve observed those same threat groups acting in the exact opposite way. So Babuk’s claims of a shutdown should be taken with a pinch of salt, and authorities should still carefully monitor their actions. As this criminal group declares to have the intention to share its source code with the public, we will likely continue to discuss Babuk’s activity in the future in some way.”

Chad Anderson, a senior security researcher at DomainTools, doubts Babuk will actually close its doors after just over a year in operation, particularly after succeeding in infiltrating such a high-value target.

“The amount of money these ransomware groups are making is massive and a target like a major metro police department is not only potentially lucrative — as they cannot afford downtime — but also highly useful as a way to spider into other networks,” Anderson said. “Police technology encompasses JMS, EMS, RMS, and dozens of other services. A single department is likely to have dozens of vendors that also supply to dozens of other jurisdictions. If I had to guess, Babuk isn’t backing down here, but looking for its next evolution. No cybercriminal walks away from such a lucrative industry when they’ve been so effective over the last year.” 

A number of ransomware services – like GandCrab – retired after being identified and tracked for a period of time, noted Jeff Barker, vice president of product marketing at Illusive. The longer ransomware services are active, the more threat detection intel is available and the greater the probability that government and company investigators could connect it with its source/backer.

“It’s logical that ransomware services backed by nation-state actors will want to avoid attribution and continue regularly retiring existing services and launching new” ones, Barker said.