Ransomware, Threat Management

ESXi ransomware derived from Babuk code on the rise in early 2023

Software source code.

There’s mounting evidence that ESXi hypervisors remain valuable targets for ransomware groups and that the leak of Babuk source code in September 2021 offered unprecedented insight for threat actors into the development operations of an organized ransomware group.

In a May 11 blog post, SentientlLabs reported that they observed a strong increase in VMware ESXi ransomware based on Babuk throughout early 2023.

However, Alex Delamotte, a SentinelOne threat researcher, said while other researchers claimed that Feburary’s ESXiArgs campaign on VMware servers was based on Babuk source code, SentinelOne's analysis found that it’s unlikely because the only significant similarity between ESXiArgs and Babuk is that both use the same open-source libraries to implement the Sosemanuk stream cipher to encrypt files.

“The takeaway is that ESXi ransomware remains a popular target and the leaked Babuk source code enables actors of all skill levels to participate,” explained Delamotte. “The ESXiArgs campaign likely demonstrated the value and impact of ESXi lockers to a wider audience, which drove the increase in new Babuk-like variants through Q1 and Q2 2023."

SentinelLabs said that over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit and REvil. These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.

SentinelLabs also reported that it identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and better-known operations such as Conti and REvil. While ties to REvil remain tentative, the SentinelLabs researchers said the possibility exists that Babuk, Conti and REvil potentially outsourced an ESXi locker project to the same developer.

Companies are prime targets if they use ESXi and don’t have an accurate view into the version used, where those assets reside in their network, and if they face the public internet, said Dan Paulmeno, director of managed security services at Kivu Consulting.  

“In this case, a lot of ransomware crews that don’t normally target ESXi pounced on this opportunity because scanning and script deployment opportunities are trivial in comparison to enterprisewide attacks,” said Paulmeno.

This new information continues a trend of attacks on ESXi by cybercriminals looking for windfalls by compromising a host of hosts, said Craig Burland, chief information security officer at inversion6. Burland said the ESXiArgs attacks highlighted a big challenge with ESXi: timely patching. 

“Patching workloads related to a single application typically takes some negotiation between IT and the business owner,” Burland said. “Planning patches for ESXi immediately sparks 20 of those conversations and triggers the business to question the real risk of not applying every update.”

Mike Parkin, senior technical engineer at Vulcan Cyber, added that it's always fascinating to get insight into how cybercriminal organizations operate both in how they function and how they develop code.  Parkin said it makes sense that other threat actors continued to develop the leaked Babuk code to suit their own needs. 

“While the Babuk leak may have hurt that specific group, it became an opportunity for other threat actors to incorporate new tools and techniques into their own attacks,” said Parkin. “It becomes a challenge for defenders because even though we now have access to the original attack code, there will be more iterations of it that we'll have to counter and the new variants will be harder to associate with a specific threat group.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.