Jump to content
  • Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers

    alf9872000

    • 577 views
    • 3 minutes
     Share


    • 577 views
    • 3 minutes

    An increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.

     

    SentinelLabs security researchers observed this rising trend after spotting a rapid succession of nine Babuk-based ransomware variants that surfaced between the second half of 2022 and the first half of 2023.

     

    "There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware," said SentinelLabs threat researcher Alex Delamotte.

     

    "This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code."

     

    The list of new ransomware families that have adopted it to build new Babuk-based ESXi encryptors since H2 2022 (and the associated extensions added to encrypted files) includes Play (.FinDom), Mario (.emario), Conti POC (.conti), REvil aka Revix (.rhkrc), Cylance ransomware, Dataf Locker, Rorschach aka BabLockLock4, and RTM Locker.

     

    Babuk_vs_Conti_POC.jpg

    Babuk vs. Conti POC comparison (SentinelLabs)

     

    As expected, Babuk's leaked builder has enabled attackers to target Linux systems even if they don't have the expertise to develop their own custom ransomware strains.

     

    Unfortunately, its use by other ransomware families has also made it much more challenging to identify the perpetrators of attacks since multiple actors' adoption of the same tools greatly complicates attribution efforts.

     

    These add to many other unique, non-Babuk-based ransomware strains targeting VMware ESXi virtual machines discovered in the wild for several years.

     

    Some of the ones found in the wild are Royal RansomwareNevada RansomwareGwisinLocker ransomwareLuna ransomwareRedAlert Ransomware, as well as Black BastaLockBitBlackMatterAvosLockerHelloKittyREvilRansomEXX, and Hive.

     

    italy-ransom-note.jpg
    Ransom note dropped by Mario ransomware VMware ESXi encryptor (MalwareHunterTeam)

    Source code and decryption keys leak

    The Babuk (aka Babyk and Babuk Locker) ransomware operation surfaced at the beginning of 2021 by targeting businesses in double-extortion attacks.

     

    The gang's ransomware source code was leaked on a Russian-speaking hacking forum in September 2021, together with VMware ESXi, NAS, and Windows encryptors, as well as encryptors and decryptors compiled for some of the gang's victims.

     

    After it attacked the Washington DC's Metropolitan Police Department (MPD) in April 2021, the cybercrime group attracted unwanted attention from U.S. law enforcement and claimed to have shut down the operation after beginning to feel the heat.

     

    Babuk members splintered off, with the admin launching the Ramp cybercrime forum and the other core members relaunching the ransomware as Babuk V2.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...