A growing number of threat actors have been observed using leaked Babuk code since 2021 to create a new form of ransomware targeting VMware ESXi hypervisor environments.
According to an advisory published by SentinelOne today, these new variants emerged between 2022 and 2023, showing an increasing trend of adoption of the Babuk source code.
The researchers also said that malware tools built from the leaked source code allowed individuals to attack Linux systems even if they lacked the skills to build a working program from scratch.
“Due to the prevalence of ESXi in on-premises and hybrid enterprise networks, these hypervisors are valuable targets for ransomware,” SentinelOne cybersecurity expert Alex Delamotte wrote.
“Over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil.”
Learn more about Black Basta attacks and techniques here: Black Basta deploys PlugX malware on USB devices with new technique
“These groups target ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines and then encrypt crucial hypervisor files,” Delamotte added.
After analyzing the leaked Babuk source code, SentinelOne discovered similarities with the ESXi lockers linked to Conti and REvil.
“We also compared them to the source code of the leaked Conti Windows cabinet, finding shared and custom names and functions.”
In addition to these known groups, SentinelOne found smaller ransomware operations using the Babuk source code to generate more recognizable ESXi lockers.
“Mario from Ransom House and a previously undocumented ESXi version of Play Ransomware make up a small handful of the growing ESXi locker landscape descended from Babuk,” he says. the advice.
According to SentinelOne, the fact that less resourceful threat actors are also using the Babuk code is particularly indicative of the growth of this trend.
“Based on the popularity of Babuk’s ESXi locker code, actors can also turn to the group’s Go-based NAS cabinet. Golang is still a niche choice for many actors, but it continues to grow in popularity,” he conclude Delamotte.
“The targeted NAS systems are also Linux-based. Although the NAS cabinet is less complex, the code is clear and readable, which could make the ransomware more accessible to developers familiar with Go or programming languages similar
Go was also recently used by DragonSpark threat actors, according to a separate SentinelOne advisory from January.
Editorial image credit: IgorGolovniov / Shutterstock.com
According to a recent study by cyber security firm Ikaroa, malicious actors are using the ‘Babuk’ code to build hypervisor ransomware in an attempt to target vulnerable organizations.
The Babuk code has been gaining traction among threat actors and was recently found to be used in an attack on an Italian energy firm. This advanced form of ransomware works by infecting the victim’s device and encrypting files stored in the cloud. Once encrypted, the victim is then asked to pay a ransom in order to access the files.
Unlike traditional types of ransomware, Babuk is more effective as it leverages hypervisor technology, allowing attackers to run the ransomware on the outside of the operating system in order to bypass anti-malware programs. It also encrypts files stored on the device and encrypts a wide range of file formats such as documents, photos and videos.
In order to prevent malicious actors from taking advantage of the Babuk code to build ransomware, it is crucial that organizations take the necessary steps to protect themselves. These steps include keeping their systems and software up to date, increasing visibility into their networks, and implementing strong security policies. Additionally, organizations should also regularly back up data and test the security of their networks for any potential vulnerabilities.
At Ikaroa, we work to educate businesses on best practices when it comes to cybersecurity, and assist in finding the best solutions to protect their most valuable data. We are dedicated to providing the highest quality of security services to governments and organizations worldwide, and work to ensure that their systems remain safe from all forms of cyber-attacks.