An investigation that started with a tip from one of our threat intel sources about the revival of the Babuk (figure 1) threat group has led Trustwave SpiderLabs to uncover what appears to be a paradigm shift in the ransomware landscape.
Figure 1. SpiderLabs telemetry (January 2025 events).
Figure 1A. February to March events.
Figure 1B. SpiderLabs telemetry (March 2025 events).
Instead of finding another traditional ransomware operation, we discovered a sophisticated operation that represents an evolution in this crime category – one that transforms the traditional ransomware model into an industrial scale data commoditization enterprise.
What makes this operation particularly concerning isn't just its technical sophistication — but the evolution it represents. We're not looking at traditional ransomware operations anymore. This is data commoditization at an industrial scale, wrapped in the familiar package of a ransomware operations (figure 1C).
The evidence suggests that we're dealing with someone who understands the technical and psychological aspects of cybercrime. These actors are not just copying tactics; they're evolving them and creating a new playbook for data-focused criminal operations.
The concept itself dates back to at least 2019, when groups like Maze pioneered the "double extortion" tactic. This approach involves not only encrypting a victim's data but also exfiltrating it and threatening to sell or leak it if the ransom isn’t paid. What’s newer is the scale, sophistication, and market-like dynamics that have emerged around this practice.
Figure 1C. Strategic messaging showcases a polished PR strategy in ransomware evolution.
Our revelation started here. In January, after nearly a year of silence, the Babuk leak site suddenly lit up like a Christmas tree. My first thought? This doesn't feel right.
The first red flag hit me while comparing the new data leak site’s interface with the archive of the original Babuk site. Sure, someone had done their homework — the visual match was uncanny, as seen in figures 2 and 3. But something felt off about the timing and the sudden flood of victim posts.
Figure 2. Babuk2's modernized dark web interface demonstrating sophisticated rebranding efforts.
Figure 3. Babyk.
Digging deeper into the victim data, I started noticing patterns that didn't add up. These weren't fresh hits. In fact, many of these organizations had already appeared on other groups' leak sites months ago. The real kicker? Some posts were copies of the exact same text from previous RansomHub and FunkSec leaks, typos and all, as seen in Figures 4 and 5.
Figure 4. Current victim database showing Babuk2's targeting patterns and operational scope.
Figure 5. Cross-reference evidence of data-recycling tactics across platforms, such as Ransomhub’s data leak site from 2024.
At some point, Babuk2-affiliated members began actively posting on Dark Web forums, sharing not only updates but also leaks from other ransomware groups.
Figure 6. The Healthcare data from the 2023 breach was shared by a Ransomware group-affiliated member at the end of 2024.
Surprisingly, these disclosures did not seem to provoke a visible reaction from the affected groups. However, the lack of public response does not necessarily indicate indifference - what happens behind the scenes remains unknown.
Figure 7. Post on the same forum with the same content from the Babuk2 associated user from 17 Feb 2025.
Here's where it gets interesting. While tracking the leak patterns, a name kept popping up: Bjorka. This wasn't just some haphazard data reuse effort — we were looking at a carefully orchestrated campaign by a threat actor who'd been busy building its reputation across multiple platforms.
During a late-night analysis session, I stumbled across Bjorka's Telegram channel. The timestamps told a story that perfectly aligned with the sudden resurrection of the Babuk brand. The group had been steadily building up its operation, testing the waters with individual data sales before making the jump to a full-blown ransomware impersonation play.
What really caught my attention was Bjorka's approach to infrastructure. Unlike typical ransomware operations that focus on either the dark web or clearnet presence, they'd built a sophisticated multi-channel operation: Bjorka's clearnet site reads like a professional data broker's platform — it has a clean interface, clear pricing information, and readily available sample data. But dig into the technical details of its Tor hidden service, and you'll find the fingerprints of someone who really knows Operational Security. The irony? Some of these same security measures appear in their BreachForums listings, as seen in figures 8, 9, and 10.
Figure 8. User Xobijahabi’s release MyIndiHome data led to immediate ban, highlighting the threat actor’s coordinated multi-platform strategy.
Figure 9. Latest Babuk2 data leak site showing “MyIndiHome” and “MyPertamina Indonesia”.
Figure 10. Bjorka’s data release back in January 2024 at BreachForums.
Following the money revealed another layer of sophistication. Bjorka's pricing strategy isn't random — it is playing a clever game of market psychology. Initial ransom demands hit hard ($500K), but it always leaves room for secondary market sales ($50K) for “serious buyers”. It's a tiered approach that maximizes potential profits while maintaining market credibility.
Looking at the group’s January 2025 operations, I noticed it was particularly active during Asian business hours, which is a detail that adds another piece to the attribution puzzle. Its communication patterns show a consistent time zone pattern that doesn't match the original Babuk group's operational hours. This could suggest a new operator or a shift to an Asia-based faction.
What makes this operation fascinating isn't just the data recycling — it's the level of strategic thinking behind it. The group is not just copying and pasting old leaks; they're building a brand, establishing a market presence, and creating a sustainable operational model.
During our investigation of the group’s communications with its victims, we uncovered evidence of sophisticated social engineering. Bjorka is leveraging the Babuk brand recognition while introducing its own operational tweaks, such as removing specific targeting restrictions that were hallmarks of the original group, as seen in figures 11 and 12.
Figure 11. This is the known original Babuk data leak site.
Figure 12. Evolution of targeting policies showing tactical refinement between the original Babuk and Babuk2.
After days of correlating data points across different platforms, a pattern began emerging. Bjorka wasn't just throwing data around — it was orchestrating a carefully timed-release strategy. I noticed how the group tested the waters with smaller leaks (with high-visibility) on Telegram, gauged market response, then escalate to larger platforms, as seen in figure 13.
Figure 13. Bjorka's visibility.
After weeks of following Bjorka's digital footprints, one thing becomes crystal clear. We're witnessing a paradigm shift in the ransomware landscape. This isn't just another copycat operation — it's a glimpse into the future of data-driven cybercrime.
The genius of this operation lies not in its technical sophistication (though that's impressive enough) but in its business model. Bjorka has essentially created a sustainable ecosystem around recycled data, proving that in the digital underground, information isn't just power — a renewable resource.
Looking back at the evidence trail (figure 14), what started as a simple investigation into a rebranded ransomware operation revealed something far more significant. Bjorka isn't just impersonating Babuk; they're rewriting the playbook for cybercrime operations:
It's this combination of tactical excellence and strategic thinking that makes this operation particularly noteworthy.
Figure 14. Bjorka’s databases index.
As I wrap up this investigation, I can't help but think about the implications. We're likely to see more operations following this model — professional, patient, and focused on data as a long-term asset rather than a one-time extortion tool.
The question isn't whether we'll see more Bjorka-style operators, but how soon they'll emerge and what innovations they'll bring to the table. The blueprint has been drawn, and it's only a matter of time before others attempt to refine it.
Its blueprint is also the tactic of other big ransomware groups.
LockBit | Clop | BlackCat (ALPHV) | 8Base | RansomHub | Play
Defenders must now prioritize long-term data tracking and market disruption strategies; this means shifting our thinking. We're no longer just protecting against data theft — we're defending against sophisticated data commoditization operations that can turn months-old breaches into fresh threats.
The game has changed. The question is: Are we ready to adapt?