McAfee Enterprise research links new RaaS gang to Babuk


Johannesburg, 15 Sep 2021
Read time 2min 00sec

McAfee Enterprise Advanced Threat Research published an analysis on Groove Gang, a relatively new ransomware as a service operation.

According to McAfee Enterprise ATR’s analysis, the team believes with high confidence that the Groove Gang is associated with the Babuk gang, either as a former affiliate or subgroup. This analysis comes as a follow-up to McAfee Enterprise’s ongoing research into the Babuk ransomware group.

Key insights into McAfee Enterprise ATR’s analysis includes: 

  • The fallout: After a turbulent shutdown of Babuk and the fallout from the Colonial Pipeline and Kaseya attacks, it seems that some of the ransomware-affiliated cyber criminals have found a home in a forum known as RAMP.
  • The catalyst: Popular cyber crime forums have banned ransomware actors from advertising since the Colonial Pipeline attack, making it harder for RaaS groups to establish credibility and maintain their current top tier position in the underground.
  • Bad actors: Bad actor, Orange, posted a call to action and collaboration noting that for the past two years, Groove has been a financially motivated criminal organisation dealing in industrial espionage and claimed several of Babuk’s victims have brought them a lot of attention.
  • Financial motivation: Based on Babuk’s fallout, the similarities between the RaaS groups, and the evolving underground, ATR believes that the Groove Gang is a former affiliate or subgroup of Babuk, who are willing to collaborate with other parties, as long as there is financial gain for them.

The changing cyber criminal underground landscape created the perfect opportunity for the threat actor Orange to emerge – with the Groove Gang in tow, offering new ways of working where an associate’s worth was based entirely on their ability to earn ransom, essentially confirming McAfee Enterprise’s belief that Groove and Babuk are associated.

Please see the full blog here to read more about how the RaaS eco-climate will change from he who controls the ransomware to he who controls the victim's networks, and let us know if you are interested in discussing further with a McAfee Enterprise Researcher.