Several threat actors have taken advantage of the Babuk (aka Babak or Babyk) ransomware code leak in September 2021 to create up to nine different ransomware families capable of targeting VMware ESXi systems.
“These variants emerged during H2 2022 and H1 2023, showing an increasing trend of adoption of the Babuk source code,” SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.
“Leaked source code allows actors to target Linux systems when they might not otherwise have the expertise to create a working program.”
Various cybercriminal groups, both large and small, have set their sights on ESXi hypervisors. Additionally, at least three different strains of ransomware—Cylance, Rorschach (aka BabLock), RTM Locker—that have emerged since the beginning of the year are based on the leaked Babuk source code.
SentinelOne’s latest analysis shows that this phenomenon is more common, with the cybersecurity firm identifying source code overlaps between Babuk and ESXi cabinets attributed to Conti and REvil (aka REvix).
Other ransomware families that have ported various Babuk features into their respective code include LOCK4, DATAF, marioPlay and Ransomware Babuk 2023 (aka XVGV).
Despite this notable trend, SentinelOne said it saw no parallelism between Babuk’s ESXi cabinets and ALPHV, Black Basta, Hive, and LockBit, adding that it found “little similarity” between ESXiArgs and Babuk, indicating a wrong attribution.
“Based on the popularity of Babuk’s ESXi locker code, actors may also turn to the group’s Go-based NAS locker,” said Delamotte. “Golang is still a niche choice for many players, but it continues to grow in popularity.”
Learn how to stop ransomware with real-time protection
Join our webinar and learn how to stop ransomware attacks with real-time MFA and service account protection.
Save my seat!
The development comes as threat actors associated with the Royal ransomware, suspected to be former members of Conti, have expanded their attack toolset with an ELF variant that is capable of attacking Linux and ESXi environments .
“The ELF variant is quite similar to the Windows variant and the sample does not contain any obfuscation,” Palo Alto Networks Unit 42 said in a write-up published this week. “All strings, including the RSA public key and ransom note, are stored as plain text.”
Real ransomware attacks are facilitated by various initial access vectors, such as callback phishing, BATLOADER infections, or compromised credentials, which are then abused to drop a Cobalt Strike Beacon as a precursor to ransomware execution .
Since appearing on the scene in September 2022, the Royal ransomware has claimed responsibility for targeting 157 organizations at its breach site, with the majority of attacks targeting manufacturing, retail, legal services, education, construction and healthcare services in the US, Canada and Germany.
Recently, a ransomware attack using 9 distinct strains spanned across multiple VMware ESXI systems. This malicious attack has been traced back to a specific source code, “Babuk,” which has sparked a great deal of concern throughout the IT industry. Furthermore, research conducted by Ikaroa, the full stack tech company, revealed the staggering variety of such malicious applications related to the source code .
Although each variant of these ransomware attacks varies in sophistication and capabilities, the purpose of them remains constant – to collect money from victims in exchange for getting their systems and data back. Such demands have forced businesses and institutions across the globe to take mandatory steps for protecting their infrastructure from similar malicious threats.
Ikaroa strongly advises organizations to prioritize their cybersecurity efforts by engaging in frequent updates to their infrastructures and operating systems, setting the appropriate user security settings, and developing robust protocols around identity and access management to reduce their risk exposure.
At Ikaroa, we believe it is our responsibility to ensure the safety and privacy of our clients and their systems by constantly monitoring the ever-evolving landscape of cyber threats and providing appropriate security solutions to protect them. We actively update our comprehensive bi-annual security research and are always looking for new ways to strengthen our security posture to keep businesses safe from such malicious threats.