Since 2021, we have observed an increasing number of attackers using the leaked Babuk code to create new forms of ransomware targeting VMware ESXi hypervisor environments.
According to the advisory released today by SentinelOne, these new variants will appear between 2022 and 2023, indicating an increasing trend of adoption of the Babak source code.
The researchers also said that malware tools built using the leaked source code allowed individuals without the skills to create a functioning program from scratch to attack Linux systems.
“The prevalence of ESXi in on-premises and hybrid enterprise networks makes these hypervisors a valuable target for ransomware,” said Alex Delamotte, cybersecurity expert at SentinelOne.
“Over the past two years, organized ransomware groups have adopted Linux lockers such as ALPHV, Black Basta, Conti, Lockbit and REvil.”
You can read more about Black Basta’s attacks and techniques here: Black Basta introduces PlugX malware to USB devices with new technique
“These groups have focused on ESXi before other Linux variants, leveraging the ESXi hypervisor’s built-in tools to kill guest machines and encrypt critical hypervisor files. added Deramott.
After analyzing the leaked Babuk source code, SentinelOne found similarities to the ESXi lockers linked to Conti and REvil.
“We also compared it to the leaked Conti Windows Locker source code and found shared bespoke function names and traits.”
In addition to these known groups, SentinelOne discovered a small scale ransomware operation using the Babak source code to produce a more recognizable ESXi locker.
“Ransom House Mario and the previously undocumented ESXi version of the Play ransomware constitute a small handful of the growing Babuk-derived ESXi Locker environments,” it reads. Recommendation.
According to SentinelOne, the fact that low-resource attackers are also using the Babuk code is a particular escalation of this trend.
“Based on the popularity of Babak’s ESXi locker code, attackers may also turn to the group’s Go-based NAS locker. Golang remains a niche option for many actors, but its popularity continues to grow. ‘” concluded Deramott.
“The targeted NAS systems are also Linux-based. The NAS locker is not overly complicated, but the code is clear and readable, which could make the ransomware more accessible to developers familiar with Go or similar programming languages.” there is potential.”
According to another SentinelOne advisory from January, Go was also recently used by the DragonSpark threat actor.
Editorial image credit: IgorGolovniov / Shutterstock.com
