Exploring the Ramifications of the Leaked Babuk Code for VMware ESXi Ransomware: A Current Affairs Commentary

The cybersecurity firm SentinelOne has issued a warning regarding a rise in newly developed ransomware families that aim to infect VMware ESXi systems using the leaked Babuk source code. The Babuk ransomware targeted several organizations in January 2021; its malware source code was later leaked in September 2021 by one of its operators, which eventually led to researchers releasing a decryption tool for it. However, its leaked code has since been used to develop new ransomware variants, including RTM Locker, Rook, and Rorschach, which also target VMware ESXi servers. SentinelOne notes that the past year has witnessed at least ten ransomware families that were specifically designed to attack VMware ESXi servers using the Babuk code. Operations such as BlackCat, Black Basta, Lockbit, REvil, and others are observed to use VMware ESXi deployments as well.

However, SentinelOne’s analysis of these malware families has found that only Conti and REvil ESXi ransomware have overlaps with the Babuk code. Additionally, the ESXiArgs, which wreaked havoc earlier this year, showed very few similarities to Babuk, except for the same open-source Sosemanuk encryption implementation used by the ransomware. SentinelOne stipulates that there may exist links between the ransomware groups, which potentially outsource ESXi locker projects to the same developer, given the similarity among the code.

The cybersecurity firm highlights that threat actors have started using the Babuk code to build ESXi and Linux lockers, and there is a possibility that they might also use the group’s Go-based NAS locker in the future. Go remains a niche choice for many actors, but its use continues to increase in popularity. Targeted NAS systems are Linux-based. Although the NAS locker is less complex, the code is clear and legible, which could make it accessible to developers who are familiar with Go or similar programming languages.

Recommendation

As ransomware threat actors evolve, organizations are continually advised to review and update their security tools and practices regularly. Also, it is critical to ensure that essential software, both operating systems, and third-party programs, are fully patched with the latest upgrades. In addition, companies must adopt a ‘defense-in-depth’ cybersecurity strategy that ensures security safeguards are implemented throughout the entire infrastructure, including various layers of protection, such as web application firewalls, anti-malware, intrusion detection, and encryption. Furthermore, organizations should back up their data regularly, store backups in a secure location offline, and test the restore process to ensure it is functioning as expected. Lastly, comprehensive security awareness training is critical for employees to stay informed and vigilant against the ever-evolving threats of ransomware attacks.