Breach Monitoring News Feed

We are AzzaSec — a decentralized PMC (Private Military Contractor), RaaS (Ransomware-as-a-Service) syndicate, and botnet operator at the intersection of cyberwarfare, asymmetric operations, and underground economics. Emerging from the collapse of traditional hacktivism, we evolved into a sovereign digital force. We offer custom offensive solutions to clients with political, financial, or strategic objectives. We are stateless, leaderless, and loyal only to code.

B0 is a relatively obscure ransomware operation with very limited public reporting outside of leak site monitoring. It appears to operate a data-extortion model, with a dedicated leak site on the Tor network, and no confirmed use of encryption-based ransomware in documented incidents. The group is listed in ransomware tracking services from at least mid-2024, but there are no major vendor reports describing their victimology, intrusion methods, encryption schemes, or specific targeting patterns. Its branding and operational style suggest a small, self-contained group rather than a large RaaS platform.

On January 26th, Babuk's dedicated leak site (DLS) was "relaunched". Bjorka (Telegram: @bjorkanesiaaaa) is the current administrator. Upon launch, the DLS was populated mainly by victims previously claimed by other groups such as RansomHub, Lockbit3, and Funksec. At this current time there is no apparent connection to the original Babuk operation besides reusing the Babuk site template and logos. The groups is also known as Babuk2 by other trackers. It is important to note that the original Babuk DLS was hosted and available up until February 26th, 2024.

Babuk‑Locker emerged in early 2021 as a Ransomware‑as‑a‑Service (RaaS) gang targeting high‑value “big game” enterprises across sectors like healthcare, telecommunications, finance, education, and government. It initially deployed crypto-ransomware—encrypting files using ChaCha8 encryption with keys secured via elliptic‑curve Diffie‑Hellman—and later added a double‑extortion model involving data theft and leak site threats. Notable incidents include attacks on the Washington, D.C. Metropolitan Police Department and other organizations. In mid‑2021, Babuk’s source code was leaked, prompting both a fragmentation of its core operations and emergence of variants like Babuk Tortilla and Babuk V2. Affiliates exploited vulnerabilities in ESXi hypervisors to deliver destructive variants, and law enforcement actions eventually disrupted key operators.

BabyLockerKZ is a variant of MedusaLocker ransomware, first observed in late 2023. It operates under a double‑extortion model, combining file encryption with data exfiltration and extortion. Technically, it reuses MedusaLocker’s AES + RSA‑2048 hybrid encryption, appends the .hazard file extension to encrypted files, and includes a unique autorun registry key (“BabyLockerKZ”) alongside dedicated public/private key data inserted into registry values. Initial access is achieved through opportunistic methods like RDP compromises, with lateral movement facilitated by compromised credentials and tools such as Mimikatz. The variant employs a custom toolkit codenamed paid_memes, which includes tools like "Checker" for scanning credentials, facilitating automation, and bridging toolsets for further exploitation. Starting late 2022, its operators have compromised over 100 organizations per month, initially targeting European victims before shifting toward Latin America in 2023.

BackMyData is a variant of the Phobos ransomware family, first observed in early 2024. It follows a double‑extortion model: encrypting files and threatening data exposure. The ransomware primarily targets organizations via weak or misconfigured RDP access (e.g., remote desktop services), though phishing and initial-stage payloads like SmokeLoader have also been noted. Technical behavior includes AES‑256 file encryption, with keys secured via a public RSA‑2048 key embedded in the binary. Post-infection actions involve disabling firewalls, deleting volume shadow copies, inhibiting recovery functionality, and establishing persistence through registry Run keys and startup folder entries. Encrypted files receive the extension .BACKMYDATA, and victims are left with ransom notes (info.txt, info.hta, or .backmydata) that instruct them to contact attackers via email or Session Messenger. A significant incident involved a coordinated attack on Romania’s Hipocrate Information System (HIS), impacting 26 hospitals and causing widespread system outages across nearly 100 facilities, with ransom demands of approximately 3.5 BTC (~$175,000).

BalletsPistol is a Python-based ransomware strain distributed via GitHub. An investigative report from June 2025 reveals its delivery through a malicious ISO file hosted on a now‑removed public GitHub repository tinextacyber.com+1 . The infection chain begins when the ISO (named Invoice.iso) is downloaded and mounted, revealing a batch script (MAIN.BAT) and supporting components—including a password-protected ZIP and shortcut (.lnk) for execution. The malware performs privilege escalation (via UAC bypass using fodhelper.exe), persistence via registry and scheduled tasks, and then extracts an executable from the ZIP to commence the main payload. This binary encrypts user files with a hybrid AES + RSA scheme, adding the .iDCVObno extension to encrypted files; it also drops ransom notes (RESTORE-MY-FILES.TXT or .HTA) and changes the victim’s wallpaper.

Beast ransomware emerged in 2022 as an enhanced iteration of the earlier “Monster” ransomware. It operates under a Ransomware-as-a-Service (RaaS) model, offering affiliates rich customization options to create tailored binaries targeting Windows, Linux, and VMware ESXi systems. Key technical capabilities include hybrid Elliptic-Curve + ChaCha20 encryption, segmented file encryption, ZIP wrapper mode (encrypting files into zip archives with embedded ransom notes), multithreaded processing, termination of services, shadow copy deletion, hidden partition usage, and subnet scanning. Affiliates are provided configurable offline builders, enabling streamlined deployment across multiple platforms. While Beast's functional power is well-documented, details on its specific victims, sectors targeted, and leak site activity remain limited in public sources.

aka Belesn Group. Belsen Group emerged in January 2025 as a data broker and leak-focused threat actor, not engaging in ransomware encryption. Their first major action involved publishing sensitive configuration files, VPN credentials, and IP addresses for over 15,000 Fortinet FortiGate firewalls—data likely stolen through exploitation of CVE‑2022‑40684. The group began by sharing the data freely to establish credibility, before shifting to monetized access and offering sales of network access to high-value targets such as major banks and an East African airline. Their activities place them firmly in initial access brokerage, targeting confidential infrastructure details for sale.

BERT ransomware (also tracked as Water Pombero) first emerged in April 2025, rapidly targeting both Windows and Linux systems across Asia, Europe, and the U.S., with confirmed victims in healthcare, technology, electronics, and event services sectors. Its Windows variant employs a PowerShell-based loader that escalates privileges, disables Defender, UAC, and the firewall, then downloads the ransomware payload. The Linux version aggressively encrypts with up to 50 concurrent threads, forcibly shuts down VMware ESXi VMs to prevent recovery, and appends extensions like .encryptedbybert or .encrypted_by_bert. BERT uses AES encryption, and later variants feature optimized multithreading via ConcurrentQueue and DiskWorker threads. Analysts note code similarities with REvil and Babuk ESXi lockers, potentially pointing to shared development lineage or code reuse.