A ransomware group that claimed to be retiring after an audacious attack on Washington DC’s police department appears to be back in action after reportedly targeting a Japanese firm.
Yamabiko, a Tokyo-headquartered manufacturer of power tools and agricultural and industrial machinery, was apparently added to the data leak site used by the Babuk group.
Although official confirmation is still pending from the firm itself, reports suggest the Russian-speaking threat actors have already released some of the data on their naming-and-shaming site.
This includes personally identifiable information (PII) on employees, product schematics, financial data and more, according to TechNadu.
The group reportedly claimed to have a total of 0.5TB of data in its possession.
With annual revenue exceeding $1 billion, Yamabiko is a prime candidate for targeting by “hands-on-keyboard” ransomware attacks which often use “living-off-the-land” techniques and legitimate tools like Cobalt Strike to move laterally inside networks and exfiltrate data.
Confusingly, the Babuk group intimated last month that its attack on the Washington DC police department, in which it threatened to release stolen data on officers and informants, would be its last. However, it subsequently deleted an online note which claimed that it would be open sourcing its code for Ransomware as a Service (RaaS) actors to use.
Saumitra Das, CTO of Blue Hexagon, said Babuk has in the past been linked to attacks that exploit VPN vulnerabilities to gain a foothold inside victim networks.
“Due to the deluge of new CVEs this year, attackers have now started attacking company infrastructure as an entry rather than the usual first vectors of phishing users, finding leaked credentials or open RDP,” he added.
“Such infection methods circumvent prevention-based perimeter defense like firewalls and necessitate the use of network detection and response to find attack traces that signature-based technologies miss. “