Since the leak of Babuk ransomware code in September 2021, multiple threat actors have capitalized on the opportunity to build as many as nine different ransomware families capable of targeting VMware ESXi systems. This trend became especially prevalent through H2 2022 and H1 2023, as more and more cybercrime groups looked to take advantage of the leaked code. According to SentinelOne security researcher Alex Delamotte, this underscores an increasing trend of Babuk source code adoption. The leaked source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program. A number of cybercrime groups, both big and small, have set their sights on ESXi hypervisors. What's more, at least three different ransomware strains – Cylance, Rorschach (aka BabLock), RTM Locker – that have emerged since the start of the year are based on the leaked Babuk source code. SentinelOne's latest analysis shows that this phenomenon is more common than initially thought, with the cybersecurity company identifying source code overlaps between Babuk and ESXi lockers attributed to Conti and REvil (aka REvix). Other ransomware families that have ported various features from Babuk into their respective code include LOCK4, DATAF, Mario, Play, and Babuk 2023 (aka XVGV) ransomware. Despite this noticeable trend, SentinelOne said it observed no parallels between Babuk and ALPHV, Black Basta, Hive, and LockBit's ESXi lockers, adding it found "little similarity" between ESXiArgs and Babuk, indicating an erroneous attribution. Overall, the leak of Babuk ransomware code has had a significant impact on the cybersecurity landscape, enabling a number of different cybercrime groups to build ransomware strains capable of targeting ESXi systems. As this trend appears to be on the rise, it will be interesting to see how SentinelOne and other security companies adapt in order to protect against these newly emerging threats.
top of page
bottom of page