Leaked source code from cybercriminal gang Babuk is being used by ten ransomware groups to target VMware ESXi servers. The leaked code, known as Babuk Locker, has spawned a string of malware variants which have been deployed over the past 18 months, security researchers say.
The malware has enabled criminals to target Linux systems, where they may have otherwise lacked the expertise to do so otherwise, according to an investigation by SentinalLabs, the research arm of security company SentinalOne.
Babuk source code used by ransomware gangs
The code is being used to target VMware ESXi hypervisors, which are deployed in both on-premises and hybrid working environments, making them valuable targets for ransomware. The Babuk source code-based malwares specifically target hypervisors running on Linux systems, according to SentinalLabs.
“Over the past two years, organised ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil,” the report says. “These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.”
Smaller criminal gangs are also using the malware to implement attacks. “Ransom House’s Mario and a previously undocumented ESXi version of Play Ransomware comprise a small handful of the growing Babuk-descended ESXi locker landscape,” it says.
Babuk’s code is thought to have been leaked onto a Russian online forum by a malicious insider in September 2021. The leak delivered a rare insight into how hacking gangs operate, as well as containing all the code required to create a fully functioning ransomware operation.
VMware ESXi targeted by cybercriminals
Vulnerabilities in VMware ESXi hypervisors have been widely exploited in recent months, providing access to thousands of systems and triggering a crime wave earlier this year. The vulnerabilities were used to target more than 3,800 victims including the Georgia Institute of Technology and Rice University in Houston, as well as other such institutions in Hungary and Slovakia.
Open-source operating system Linux, which is widely used in corporate networks and to run connected IoT devices, is becoming a popular target for hackers. The trend began last year according to a report by Atlas VPN. “The majority, 854,690, of new Linux malware samples were detected in the first quarter of 2022,” it reads.
This corresponds to a decline in malware written for other operating systems. “New malware numbers dropped by 39% to 73.7 million in 2022. Android saw the most significant fall in newly programmed malware. New Android malware samples declined by 68%, from 3.4 million in 2021 to 1.1 million in 2022,” the report says.
Speaking to Tech Monitor earlier this year, Allan Liska, CSIRT at Recorded Future told Tech Monitor, said: “A lot of web hosting is done on Linux servers. Linux has always been the primary hosting platform because it’s a lot cheaper to run servers on Linux than it is on Windows.”
He went on to say: “We’re storing more and more data in the cloud and that means that a lot of what we think of as cloud infrastructure is actually being hosted on Linux machines. If data is stored in the cloud and that cloud happens to run on Linux servers, you want to be able to get access to those Linux servers to be able to steal the data.”