Multiple attackers used the September 2021 Babuk (aka Babak or Babyk) ransomware code leak to build up to nine different ransomware families that can target VMware ESXi systems.
In a report shared with The Hacker News, SentinelOne security researcher Alex Delamotte said, “These variants will appear in the second half of 2022 and the first half of 2023, indicating an increasing trend in the adoption of Babak source code. It shows,” he said.
“Leaked source code allows attackers to target Linux systems even if they lack the expertise to build a working program.”
Numerous cybercriminal groups, large and small, have set their sights on the ESXi hypervisor. Additionally, at least three different ransomware strains that have emerged since the beginning of the year, Cylance, Rorschach (aka BabLock), and RTM Locker, are based on the leaked Babuk source code.
SentinelOne’s latest analysis shows this phenomenon to be more prevalent, with cybersecurity firms citing source code duplication between Babuk and ESXi lockers attributed to Conti and REvil (aka REvix). identified.
Other ransomware families that have ported various features of Babuk into their code include LOCK4, DATAF, MarioPlay, and Babuk 2023 (aka XVGV) ransomware.
Despite this pronounced trend, SentinelOne said they observed no similarities between Babak and the ALPHV, Black Basta, Hive, and LockBit ESXi lockers, stating that there was “little similarity” between ESXiArgs and Babuk. was not found, indicating incorrect attribution.
“Based on the popularity of Babak’s ESXi locker code, attackers may also look to the group’s Go-based NAS locker,” said Delamotte. “Golang remains a niche option for many actors, but it continues to grow in popularity.”
Learn how to stop ransomware with real-time protection
Join our webinar to learn how to stop ransomware attacks using real-time MFA and service account protection.
Reserve your seat!
This development follows the attackers associated with Royal ransomware, a suspected former Conti member, expanding their attack toolkit with ELF variants capable of attacking Linux and ESXi environments. .
“The ELF variant is very similar to the Windows variant and the samples do not include obfuscation,” Palo Alto Networks Unit 42 said in an article published this week. “All strings including RSA public keys and ransom notes are stored as plaintext.”
Royal ransomware attacks are facilitated by a variety of initial access vectors, including callback phishing, BATLOADER infections, and compromised credentials, which are then exploited to drop Cobalt Strike Beacons as precursors to ransomware execution.
Since its emergence in September 2022, Royal Ransomware has claimed responsibility for targeting 157 organizations on its leak site, with most of the attacks targeting manufacturing, retail, It targets legal services, education, construction, and medical services. Germany.
