Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers

Ransomware warning

An increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.

SentinelLabs security researchers observed this rising trend after spotting a rapid succession of nine Babuk-based ransomware variants that surfaced between the second half of 2022 and the first half of 2023.

“There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware,” said SentinelLabs threat researcher Alex Delamotte.

“This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code.”

The list of new ransomware families that have adopted it to build new Babuk-based ESXi encryptors since H2 2022 (and the associated extensions added to encrypted files) includes Play (.FinDom), Mario (.emario), Conti POC (.conti), REvil aka Revix (.rhkrc), Cylance ransomware, Dataf Locker, Rorschach aka BabLock, Lock4, and RTM Locker.

Babuk vs Conti POC comparison
Babuk vs. Conti POC comparison (SentinelLabs)

​As expected, Babuk’s leaked builder has enabled attackers to target Linux systems even if they don’t have the expertise to develop their own custom ransomware strains.

Unfortunately, its use by other ransomware families has also made it much more challenging to identify the perpetrators of attacks since multiple actors’ adoption of the same tools greatly complicates attribution efforts.

These add to many other unique, non-Babuk-based ransomware strains targeting VMware ESXi virtual machines discovered in the wild for several years.

Some of the ones found in the wild are Royal Ransomware, Nevada Ransomware, GwisinLocker ransomware, Luna ransomware, RedAlert Ransomware, as well as Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, REvil, RansomEXX, and Hive.

Ransom note dropped by Mario ransomware VMware ESXi encryptor
Ransom note dropped by Mario ransomware VMware ESXi encryptor (MalwareHunterTeam)

Source code and decryption keys leak

The Babuk (aka Babyk and Babuk Locker) ransomware operation surfaced at the beginning of 2021 by targeting businesses in double-extortion attacks.

The gang’s ransomware source code was leaked on a Russian-speaking hacking forum in September 2021, together with VMware ESXi, NAS, and Windows encryptors, as well as encryptors and decryptors compiled for some of the gang’s victims.

After it attacked the Washington DC’s Metropolitan Police Department (MPD) in April 2021, the cybercrime group attracted unwanted attention from U.S. law enforcement and claimed to have shut down the operation after beginning to feel the heat.

Babuk members splintered off, with the admin launching the Ramp cybercrime forum and the other core members relaunching the ransomware as Babuk V2.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn