A growing number of ransomware attacks are utilizing the leaked Babuk ransomware source code to develop Linux encryptors that specifically target VMware ESXi servers. SentinelLabs researchers have identified a series of nine Babuk-based ransomware variants that emerged between late 2022 and early 2023, indicating a noticeable trend among threat actors.
This adoption of the Babuk builder is particularly prominent among actors with limited resources, as they are less likely to extensively modify the original source code. The use of Babuk’s leaked builder has made it increasingly difficult to attribute attacks to specific actors, further complicating the identification process.
While the rise of Babuk-based ransomware is significant, there are also other distinct ransomware strains that have been targeting VMware ESXi virtual machines for several years. These include Royal Ransomware, Nevada Ransomware, GwisinLocker ransomware, Luna ransomware, RedAlert Ransomware, and others like Black Basta, LockBit, BlackMatter, AvosLocker, HelloKitty, REvil, RansomEXX, and Hive.
The availability of Babuk’s leaked builder has enabled attackers to target Linux systems without the need for extensive technical expertise in developing custom ransomware strains. However, this widespread adoption of the same tools among multiple ransomware families has made it more challenging to attribute attacks and identify the responsible individuals or groups.
The Babuk ransomware operation gained prominence in early 2021 through its double-extortion attacks on businesses. The group’s ransomware source code was leaked on a Russian-speaking hacking forum in September 2021, along with encryptors and decryptors for VMware ESXi, NAS, and Windows.
Following their attack on the Washington DC’s Metropolitan Police Department (MPD) in April 2021, the group attracted attention from US law enforcement, leading them to claim the shutdown of their operation.
Subsequently, Babuk members split, with the administrator launching the Ramp cybercrime forum and other core members relaunching the ransomware as Babuk V2.
