Babuk | Breaking Cybersecurity News | The Hacker News

In 2024, ransomware attacks targeting VMware ESXi servers reached alarming levels, with the average ransom demand skyrocketing to $5 million. With approximately 8,000 ESXi hosts exposed directly to the internet (according to Shodan), the operational and business impact of these attacks is profound. Most of the Ransomware strands that are attacking ESXi servers nowadays, are variants of the infamous Babuk ransomware, adapted to avoid detection of security tools. Moreover, accessibility is becoming more widespread, as attackers monetize their entry points by selling Initial Access to other threat actors, including ransomware groups. As organizations are dealing with compounded threats on an ever-expanding front: new vulnerabilities, new entry points, monetized cyber-crime networks, and more, there is ever-growing urgency for enhanced security measures and vigilance. The architecture of ESXi Understanding how an attacker can gain control of the ESXi host begins with understanding the ...

Cybersecurity researchers have shed light on the inner workings of the ransomware operation led by Mikhail Pavlovich Matveev, a Russian national who was  indicted by the U.S. government  earlier this year for his alleged role in launching thousands of attacks across the world. Matveev, who resides in Saint Petersburg and is known by the aliases Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange, and waza, is alleged to have played a crucial part in the development and deployment of LockBit, Babuk, and Hive ransomware variants since at least June 2020. "Wazawaka and his team members prominently exhibit an insatiable greed for ransom payments, demonstrating a significant disregard for ethical values in their cyber operations," Swiss cybersecurity firm PRODAFT  said  in a comprehensive analysis shared with The Hacker News. "Employing tactics that involve intimidation through threats to leak sensitive files, engaging in dishonest practices, and persisting in retaining...

The threat actors behind the nascent  Buhti  ransomware have eschewed their custom payload in favor of leaked LockBit and Babuk ransomware families to strike Windows and Linux systems. "While the group doesn't develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types," Symantec  said  in a report shared with The Hacker News. The cybersecurity firm is tracking the cybercrime group under the name  Blacktail . Buhti was first highlighted by Palo Alto Networks Unit 42 in February 2023,  describing  it as a Golang ransomware targeting the Linux platform. Later that same month, Bitdefender revealed the use of a Windows variant that was deployed against Zoho ManageEngine products that were vulnerable to critical remote code execution flaws ( CVE-2022-47966 ). The operators have since been observed swiftly exploiting other severe bugs impacting I...