Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers

An increasing number of ransomware operations are adopting the leaked Babuk source code to create Linux encryptors targeting VMware ESXi servers.

Researchers have observed this rising trend after spotting a rapid succession of nine Babuk-based ransomware variants that surfaced between the second half of 2022 and the first half of 2023.

The list of new ransomware families that have adopted it to build new Babuk-based ESXi encryptors since H2 2022 (and the associated extensions added to encrypted files) includes Play (.FinDom), Mario (.emario), Conti POC (.conti), REvil aka Revix (.rhkrc), Cylance ransomware, Dataf Locker, Rorschach aka BabLock, Lock4, and RTM Locker.

Babuk vs Conti POC comparison
Babuk vs. Conti POC comparison (SentinelLabs)

‚ÄčAs expected, Babuk’s leaked builder has enabled attackers to target Linux systems even if they don’t have the expertise to develop their own custom ransomware strains.

Unfortunately, its use by other ransomware families has also made it much more challenging to identify the perpetrators of attacks since multiple actors’ adoption of the same tools greatly complicates attribution efforts.

These add too many other unique, non-Babuk-based ransomware strains targeting VMware ESXi virtual machines discovered in the wild for several years.

Some of the ones found in the wild are Royal Ransomware, Nevada Ransomware, GwisinLocker ransomware, Luna ransomware, RedAlert Ransomware, Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, REvil, RansomEXX, and Hive.

Source code and decryption keys leak

The Babuk (aka Babyk and Babuk Locker) ransomware operation surfaced at the beginning of 2021 by targeting businesses in double-extortion attacks.

The gang’s ransomware source code was leaked on a Russian-speaking hacking forum in September 2021, together with VMware ESXi, NAS, and Windows encryptors, as well as encryptors and decryptors compiled for some of the gang’s victims.

After it attacked the Washington DC’s Metropolitan Police Department (MPD) in April 2021, the cybercrime group attracted unwanted attention from U.S. law enforcement. It claimed to have shut down the operation after beginning to feel the heat.

Babuk members splintered off, with the admin launching the Ramp cybercrime forum and the other core members relaunching the ransomware as Babuk V2.

Source: BleepingComputer, SentinelOne