Throughout early 2023, SentinelLabs observed an increase in VMWare ESXi ransomware based on Babuk (aka Babak, Babyk). Babuk was one of the early players in the ESXi ransomware space. The group’s longevity was crippled in 2021 when a Babuk developer leaked the builder source code for Babuk’s C++-based Linux Executable & Linkable Format (ELF) ESXi, Golang-based Network Attached Storage (NAS), and C++-based Windows ransomware tooling. The Babuk leaks in September 2021 provided unprecedented insight into the development operations of an organised ransomware group.
Through early 2022, there were few indications that actors had adapted the leaked Babuk source code, aside from a short-lived ‘Babuk 2.0’ variant and the occasional new Windows ransomware du jour. As cybercrime research is often laser-focused on Windows, Linux trends can develop under the radar.
Due to the prevalence of ESXi in on-prem and hybrid enterprise networks, these hypervisors are valuable targets for ransomware. Over the past two years, organised ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil. These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.
Key points
- SentinelLabs identified 9 ransomware families using VMWare ESXi lockers based on the 2021 Babuk source code leaks
- These variants emerged through H2 2022 and H1 2023, which shows an increasing trend of Babuk source code adoption
- Leaked source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program
- Source code leaks further complicate attribution, as more actors will adopt the tools
Conclusion
SentinelLabs’ analysis identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and more illustrious operations like Conti and REvil. While ties to REvil remain tentative, the possibility exists that these groups–Babuk, Conti, and REvil–potentially outsourced an ESXi locker project to the same developer.
The talent pool for Linux malware developers is surely much smaller in ransomware development circles, which have historically held demonstrable expertise in crafting elegant Windows malware. Ransomware groups have experienced numerous leaks, so it is plausible smaller leaks occurred within these circles. Additionally, actors may share code to collaborate, similar to open-sourcing a development project.
There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware. This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code.
The full report is available online at SentinelLabs.
