An increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.
SentinelLabs security researchers observed this rising trend after spotting a rapid succession of nine Babuk-based ransomware variants that surfaced between the second half of 2022 and the first half of 2023.
“There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware,” said SentinelLabs threat researcher Alex Delamotte.
“This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code.”
The list of new ransomware families that have adopted it to build new Babuk-based ESXi encryptors since H2 2022 (and the associated extensions added to encrypted files) includes Play (.FinDom), Mario (.emario), Conti POC (.conti), REvil aka Revix (.rhkrc), Cylance ransomware, Dataf Locker, Rorschach aka BabLock, Lock4, and RTM Locker.
As expected, Babuk’s leaked builder has enabled attackers to target Linux systems even if they don’t have the expertise to develop their own custom ransomware strains.
Unfortunately, its use by other ransomware families has also made it much more challenging to identify the perpetrators of attacks since multiple actors’ adoption of the same tools greatly complicates attribution efforts.
These add to many other unique, non-Babuk-based ransomware strains targeting VMware ESXi virtual machines discovered in the wild for several years.
Some of the ones found in the wild are Royal Ransomware, Nevada Ransomware, GwisinLocker ransomware, Luna ransomware, RedAlert Ransomware, as well as Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, REvil, RansomEXX, and Hive.
Source code and decryption keys leak
The Babuk (aka Babyk and Babuk Locker) ransomware operation surfaced at the beginning of 2021 by targeting businesses in double-extortion attacks.
The gang’s ransomware source code was leaked on a Russian-speaking hacking forum in September 2021, together with VMware ESXi, NAS, and Windows encryptors, as well as encryptors and decryptors compiled for some of the gang’s victims.
After it attacked the Washington DC’s Metropolitan Police Department (MPD) in April 2021, the cybercrime group attracted unwanted attention from U.S. law enforcement and claimed to have shut down the operation after beginning to feel the heat.
Babuk members splintered off, with the admin launching the Ramp cybercrime forum and the other core members relaunching the ransomware as Babuk V2.