Multiple threat actors have capitalized on the leak of Babuk (aka Babak or Babyk) ransomware code in September 2021 to build as many as nine different ransomware families capable of targeting VMware ESXi systems.

"These variants emerged through H2 2022 and H1 2023, which shows an increasing trend of Babuk source code adoption," SentinelOne security researcher Alex Delamotte said in a report shared with The Hacker News.

"Leaked source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program."

A number of cybercrime groups, both big and small, have set their sights on ESXi hypervisors. What's more, at least three different ransomware strains – Cylance, Rorschach (aka BabLock), and RTM Locker – that have emerged since the start of the year are based on the leaked Babuk source code.

Cybersecurity

SentinelOne's latest analysis shows that this phenomenon is more common, with the cybersecurity company identifying source code overlaps between Babuk and ESXi lockers attributed to Conti and REvil (aka REvix).

Other ransomware families that have ported various features from Babuk into their respective code include LOCK4, DATAF, Mario, Play, and Babuk 2023 (aka XVGV) ransomware.

Despite this noticeable trend, SentinelOne said it observed no parallels between Babuk and ALPHV, Black Basta, Hive, and LockBit's ESXi lockers, adding it found "little similarity" between ESXiArgs and Babuk, indicating an erroneous attribution.

"Based on the popularity of Babuk's ESXi locker code, actors may also turn to the group' Go-based NAS locker," Delamotte said. "Golang remains a niche choice for many actors, but it continues to increase in popularity."

Cybersecurity

The development comes as threat actors associated with Royal ransomware, who are suspected to be former Conti members, have expanded their attack toolkit with an ELF variant that's capable of striking Linux and ESXi environments.

"The ELF variant is quite similar to the Windows variant, and the sample does not contain any obfuscation," Palo Alto Networks Unit 42 said in a write-up published this week. "All strings, including the RSA public key and ransom note, are stored as plaintext."

Royal ransomware attacks are facilitated by means of various initial access vectors such as callback phishing, BATLOADER infections, or compromised credentials, which are then abused to drop a Cobalt Strike Beacon as a precursor to ransomware execution.

Since bursting on the scene in September 2022, Royal ransomware has claimed responsibility for targeting 157 organizations on their leak site, with most of the attacks targeting manufacturing, retail, legal services, education, construction, and healthcare services in the U.S., Canada, and Germany.


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.