Babuk Ransomware Gang Ransomed, New Forum Stuffed With Porn

A comment spammer flooded Babuk’s new ransomware forum with gay orgy porn GIFs and demanded $5K in bitcoin.

The Babuk ransomware gang’s new rebrand isn’t going so well. It seems the cybercriminal group has been a victim of a ransomware attack of its own.

Babuk’s latest endeavor, a Dark Web ransomware forum called RAMP, was crippled by a spammer over the weekend who overloaded the site with same-sex pornographic GIFs, according to Recorded Future.

The attacker told Babuk they wanted $5,000. Babuk told them to pound sand, refused to pay and deleted the original post. But even after wiping the forum several times, Recorded Future said the attacker was still able to bombard the forum with pornographic GIFs.


Malware source code detector vx-underground also picked up on the feud, calling it “Ransomware group drama.”

“RAMP, the forum started by Babuk ransomware group, has seen a surge of flooding and spamming. An unknown individual is stating they have 24 hours to pay $5,000 or else,” vx underground posted. “Ransomware actors are ransoming other ransomware actors.”

Babuk’s Reboot Stalls

Babuk has had a rough few months.

After hitting the Washington D.C. police department in April with a ransomware attack, the group vowed to retire in a short goodbye note. If they did retire, it was short-lived. In May, Babuk started leaking data from the D.C. police breach.

By early this month, the group had uploaded its ransomware source code to VirusTotal and renamed its leak site Payload.bin in what seemed like a launch of a ransomware-as-a-service (RaaS) business.

Then the operators had a new business idea: to hop on the opportunity left by malware discussions getting shushed in the wake of the Colonial Pipeline attack. In late May, the XSS underground forum had banned ransomware ads. The Exploit forum followed suit within a day, and a few hours later, the operators behind the RAID forum rounded it out a trio of ransomware-chat bans.

Then, two weeks ago, Babuk launched RAMP: a new forum where threat actors could connect and openly discuss their ransomware business.

It’s still to be determined what impact this latest spammer attack will have on Babuk’s ability to court cybercriminals in the gang’s corner of the dark web.

At the time when Maze announced its retirement, Adam Kujawa, director of Malwarebytes Labs, warned against trying to read too much into anything these cybercrime groups say. “Ransom actors are professional liars and scammers; to believe anything they say is a mistake,” he reportedly said.

Now that ransomware actors have turned on one another, things might be about to get even more interesting.

Suggested articles