Recent investigations by the Halcyon RISE Team have uncovered a concerning trend in the ransomware landscape: the Babuk2 group is issuing extortion demands based on false claims.
Despite announcing numerous attacks, there is no third-party confirmation or evidence from victims that these incidents have actually occurred.
This strategy involves reusing data from earlier breaches to support their extortion claims, targeting organizations with threats that may not be backed by real attacks.
.png
)
Background and Tactics of Babuk2
Babuk2, also known as Babuk-Bjorka, emerged in January 2025 and is not a direct continuation of the original Babuk ransomware, which was active in 2021.
The group appears to leverage the Babuk name to gain credibility.
Its administrator, Bjorka, has been active on various forums and Telegram, previously associated with other data breaches and extortion attempts.
Many of the victims listed in Babuk2’s announcements were previously targeted by other ransomware groups such as RansomHub, FunkSec, LockBit, and even the original Babuk team.
This recycling of data from past incidents suggests that Babuk2 is more focused on creating a perception of activity rather than conducting actual attacks.
Impact on Businesses
The false claims by Babuk2 pose significant financial and reputational risks to businesses.
Even if the attack claims are unfounded, the mere threat can pressure organizations into paying ransoms or investing in unnecessary remediation measures.
It is crucial for business leaders to conduct thorough, independent investigations of any reported breaches to verify if the data being used is from a new breach or simply recycled from previous incidents.
According to the Report, this due diligence is essential to prevent unnecessary panic and financial loss.
Given the high-profile nature of some claims, including an alleged incident targeting Indian military and government data, decision-makers must remain alert and consult with cybersecurity experts to accurately interpret such threats.
Babuk2’s extortion demands appear to be unsubstantiated, relying on previously leaked data to boost credibility and drive ransom payments.
Organizations facing such claims should adopt a proactive approach by verifying network integrity and checking for signs of genuine, new attacks.
This strategy will help mitigate the risks associated with false extortion demands and ensure that resources are allocated effectively in response to actual threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free
