As many as nine distinct ransomware families that are able to target VMware ESXi systems have been developed thanks to the disclosure of Babuk (also Babak or Babyk) ransomware code in September 2021. Alex Delamotte, a security researcher at SentinelOne, found that the use of Babuk source code was on the rise throughout the second half of 2022 and the first half of 2023.
In the case of Linux systems, compromised source code allows attackers to target these systems even if they lack the knowledge necessary to compile fully functional software from scratch.
Several large and minor cybercrime organizations have targeted ESXi hypervisors. Furthermore, at least three distinct ransomware strains have appeared since the beginning of the year that is based on the released Babuk source code: Cylance, Rorschach (aka BabLock), and RTM Locker.
Source code commonalities between Babuk and ESXi lockers reported to Conti and REvil (aka REvix) have been discovered, according to the most recent research conducted by cybersecurity firm SentinelOne. Babuk’s code has been adopted by other ransomware families, including LOCK4, DATAF, Mario, Play, and Babuk 2023 (also known as XVGV).
In spite of this pattern, SentinelOne stated that it discovered no similarities between Babuk and ALPHV, Black Basta, Hive, or LockBit’s ESXi lockers and that it found “little similarity” between ESXiArgs and Babuk, suggesting an incorrect attribution.
In light of the widespread use of Babuk’s ESXi locker code, “criminals may also resort to the group’ Go-based NAS locker,” as Delamotte put it. Although Golang is still a minority language among performers, its use is on the rise.
This comes as the threat actors behind the Royal ransomware, thought to be ex-Conti members, have added an ELF variation to their attack toolkit that can target Linux and ESXi systems.
Based on a report released this week by Palo Alto Networks Unit 42, the ELF variant is quite comparable to the Windows variant, and the sample contains no obfuscation. The RSA public key and the decryption instructions are both stored as plaintext.
Initial access vectors utilized in Royal ransomware assaults include callback phishing, BATLOADER infections, and compromised credentials, and are exploited to release a Cobalt Strike Beacon before executing the ransomware.
In the United States, Canada, and Germany, the manufacturing, retail, legal services, education, construction, and healthcare sectors have been the primary targets of Royal ransomware attacks since the outbreak in September 2022.
Conclusion
Nine ransomware organizations are targeting VMware ESXi machines with Babuk’s leaked code. Security researchers claim Babuk Locker, the released code, has produced 18 months of malware variations. Up to 9 criminal groups used leaked Babuk source code to attack Linux-based VMware ESXi hypervisors. According to SentinalLabs, the research arm of security company SentinalOne, the malware allows attackers to target Linux systems.
Ransomware targets VMware ESXi hypervisors, which are utilized in on-premises and hybrid environments. SentinalLabs says Babuk source code-based malware targets Linux hypervisors. According to research, organized ransomware gangs like ALPHV, Black Basta, Conti, Lockbit, and REvil have used Linux lockers for two years. These groups prioritize ESXi over other Linux variations, using built-in hypervisor tools to destroy guest machines and encrypt critical hypervisor files.
Minorities use malware. It states Ransom House’s Mario and an undocumented ESXi variant of Play Ransomware are a few of the increasing Babuk-descended ESXi locker ecosystems. A malevolent insider exposed Babuk’s code to a Russian forum in September 2021. The disclosure revealed how cyber groups operate and included all the code needed to run ransomware. VMware ESXi hypervisor vulnerabilities have been routinely exploited recently, allowing access to thousands of systems and causing a crime wave earlier this year.
