Babuk2 Ransomware: Extortion Attempts Based on False Claims

Recent investigations by the Halcyon RISE Team have revealed that the Babuk2 ransomware group is issuing extortion demands based on false claims. Although the group has publicly announced numerous attacks, there has been no confirmation from third parties or victims that any actual ransomware incidents have occurred.

What’s Really Happening?

• False Claims & Recycled Data: Babuk2, also known as Babuk-Bjorka, appears to be reusing data from earlier breaches to back up its extortion claims. Many of the victims listed in their announcements were already targeted by other ransomware groups such as RansomHub, FunkSec, LockBit, and even the original Babuk team.

• No Confirmed New Attacks: Despite the group’s claims of having conducted multiple attacks in early 2025, our analysis indicates there is no evidence of new, live ransomware encryption or fresh network intrusions. Instead, the data appears to be recycled from past incidents.

• Key Figures & Origins: Babuk2 emerged in January 2025 and is not a direct continuation of the original Babuk ransomware, which was active in 2021. The new operation seems to use the Babuk name for credibility. Its administrator, known as Bjorka, has been active on various forums and Telegram, and has previously been associated with other data breaches and extortion attempts.

Why This Matters for Businesses

• Financial and Reputational Risks: Even if the attack claims are false, the mere threat can pressure organizations into paying ransoms or investing in unnecessary remediation measures.

• Due Diligence is Critical: Business leaders should ensure that any extortion claims are backed by an independent verification of network intrusions. This includes checking if the data being used is actually from a new breach or simply recycled from previous incidents.

• Staying Informed: Given the high-profile nature of some of the claims – including a significant incident allegedly targeting Indian military and government data – decision-makers must remain alert and consult with cybersecurity experts to interpret such threats accurately.

Conclusion and Recommendations

At present, Babuk2’s claims of successful ransomware attacks appear to be unsubstantiated. The group seems to be leveraging previously leaked data as a tactic to boost its credibility and drive ransom payments.  

Organizations facing such claims should conduct thorough, independent investigations of any reported breaches. A proactive approach—verifying network integrity and checking for signs of genuine, new attacks—will help prevent unnecessary panic and financial loss.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.