Babuk2 Ransomware: Extortion Attempts Based on False Claims

Halcyon RISE analysis indicates that Babuk2’s public extortion claims are likely false and based on recycled data from earlier breaches rather than new ransomware encryptions or fresh network intrusions; the group, active since January 2025 and associated with an operator known as Bjorka, appears to be leveraging the Babuk name for credibility. Organizations are advised to independently verify any extortion claims and check for genuine indicators of compromise before paying ransoms or undertaking costly remediation.