Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware

SentinelOne sees multiple threat groups adopting the leaked Babuk source code to build their own VMware ESXi lockers.

Cybersecurity firm SentinelOne warns of an increase in the number of new ransomware families designed to target VMware ESXi that are based on the leaked Babuk source code.

Targeting both Windows and Linux systems, the Babuk ransomware family was initially detailed in January 2021 and was used in attacks against numerous organizations.

In September 2021, the malware’s source code was leaked online by one of its operators, which allowed security researchers to release a free decryption tool for it roughly two months later.

The leaked source code has been used to create new ransomware variants, including RTM Locker and Rook, and was also used in the Rorschach ransomware. Both RTM Locker and Rorschach (aka BabLock) target ESXi servers too.

Over the past year, SentinelOne says in a new technical report, the source code was used to create at least 10 ransomware families specifically targeting VMware ESXi servers.

Other smaller ESXi ransomware operations also adopted the code, including House’s Mario, Play, Cylance (unrelated to the security firm with the same name), Dataf Locker, Lock4, and XVGV.

Infamous ransomware gangs such as Alphv/BlackCat, Black Basta, Conti, Lockbit, and REvil have been observed targeting ESXi deployments as well.

However, SentinelOne’s analysis of these malware families has revealed that only Conti and REvil ESXi lockers show overlaps with the leaked Babuk code.

Advertisement. Scroll to continue reading.

The ESXiArgs locker that caused havoc earlier this year, however, showed very few similarities with Babuk, aside from the use of the same open-source Sosemanuk encryption implementation, the cybersecurity firm says.

“While ties to REvil remain tentative, the possibility exists that these groups – Babuk, Conti, and REvil – potentially outsourced an ESXi locker project to the same developer,” SentinelOne notes.

The identified links suggest that the two ransomware operations may have experienced small leaks or that they share code to collaborate, SentinelOne says.

Overall, the cybersecurity firm stresses on the fact that threat actors are increasingly using the Babuk code to build ESXi and Linux lockers and that they might also adopt the group’s Go-based NAS locker in the future.

“Golang remains a niche choice for many actors, but it continues to increase in popularity. The targeted NAS systems are also based on Linux. While the NAS locker is less complex, the code is clear and legible, which could make ransomware more accessible for developers who are familiar with Go or similar programming languages,” SentinelOne concludes.

Related: LockBit Ransomware Group Developing Malware to Encrypt Files on macOS

Related: New ‘Trigona’ Ransomware Targets US, Europe, Australia

Related: Linux Variant of Cl0p Ransomware Emerges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.

Ransomware

Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Ransomware

Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.