View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Leaked Babuk source code used by 10 ransomware gangs targeting VMware ESXi

The 'locker' code, leaked in 2021, is being used to target VMware ESXi hypervisors running on Linux.

By Claudia Glover

Leaked source code from cybercriminal gang Babuk is being used by ten ransomware groups to target VMware ESXi servers. The leaked code, known as Babuk Locker, has spawned a string of malware variants which have been deployed over the past 18 months, security researchers say.

Babuk source code used by ransomware gangs
VMware ESXi hypervisors running on Linux were targeted by up to 10 criminal gangs using leaked Babuk source code. (Photo by Pavel Kapysh/Shutterstock)

The malware has enabled criminals to target Linux systems, where they may have otherwise lacked the expertise to do so otherwise, according to an investigation by SentinalLabs, the research arm of security company SentinalOne.

Babuk source code used by ransomware gangs

The code is being used to target VMware ESXi hypervisors, which are deployed in both on-premises and hybrid working environments, making them valuable targets for ransomware. The Babuk source code-based malwares specifically target hypervisors running on Linux systems, according to SentinalLabs.

“Over the past two years, organised ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil,” the report says. “These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.”

Smaller criminal gangs are also using the malware to implement attacks. “Ransom House’s Mario and a previously undocumented ESXi version of Play Ransomware comprise a small handful of the growing Babuk-descended ESXi locker landscape,” it says.

Babuk’s code is thought to have been leaked onto a Russian online forum by a malicious insider in September 2021. The leak delivered a rare insight into how hacking gangs operate, as well as containing all the code required to create a fully functioning ransomware operation.

VMware ESXi targeted by cybercriminals

Vulnerabilities in VMware ESXi hypervisors have been widely exploited in recent months, providing access to thousands of systems and triggering a crime wave earlier this year. The vulnerabilities were used to target more than 3,800 victims including the Georgia Institute of Technology and Rice University in Houston, as well as other such institutions in Hungary and Slovakia. 

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Open-source operating system Linux, which is widely used in corporate networks and to run connected IoT devices, is becoming a popular target for hackers. The trend began last year according to a report by Atlas VPN. “The majority, 854,690, of new Linux malware samples were detected in the first quarter of 2022,” it reads.

This corresponds to a decline in malware written for other operating systems. “New malware numbers dropped by 39% to 73.7 million in 2022. Android saw the most significant fall in newly programmed malware. New Android malware samples declined by 68%, from 3.4 million in 2021 to 1.1 million in 2022,” the report says.

Speaking to Tech Monitor earlier this year, Allan Liska, CSIRT at Recorded Future told Tech Monitor, said: “A lot of web hosting is done on Linux servers. Linux has always been the primary hosting platform because it’s a lot cheaper to run servers on Linux than it is on Windows.”

He went on to say: “We’re storing more and more data in the cloud and that means that a lot of what we think of as cloud infrastructure is actually being hosted on Linux machines. If data is stored in the cloud and that cloud happens to run on Linux servers, you want to be able to get access to those Linux servers to be able to steal the data.”

Read more: IBM promises end-to-end quantum-safe encryption

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU