Ransomware Hackers Targeting ESXi Hypervisors with Leaked Babuk Code
Over the last year, hackers have utilized leaked Babuk ransomware source code to develop lockers for VMware ESXi hypervisors. Hypervisors are programs used to run multiple virtual machines on a single server, and by targeting ESXi, hackers can infect multiple virtual machines in an enterprise environment more directly than they could through conventional means. According to Alex Delamotte, senior threat researcher at SentinelOne, a majority of these Babuk-based ESXi ransomware attacks have been utilized in real-world attacks in recent months.
The Background
Babuk was a popular, yet imperfect, ransomware-as-a-service (RaaS) offering, which was first circulated in early 2021. Unfortunately for Babuk, one of its developers, a 17-year-old individual from Russia, was diagnosed with Stage-4 Lung Cancer in September 2021. The developer made a decision to leak the ENTIRE Babuk source code, including the Windows, ESXi, and NAS source codes.
The release of Babuk’s various leaked tools has served as a baseline for crafting new malicious payloads for threat actors. In their report published on May 4, researchers from Sentinel Labs identified significant overlaps between the Babuk ESXi ransomware builder and ten other ransomware families, which have been associated with major threat actors like Conti and REvil.
Why ESXi Hypervisors are being targeted by Hackers
VMware ESXi hypervisors are a “bare metal” hypervisor that run directly on the server’s hardware, without a buffer operating system. The ESXi hypervisor has complete control over the machine’s resources, making it a powerful platform for IT administrators. Unfortunately, it also makes it a powerful platform for hackers.
Using “built-in tools for the ESXi hypervisor, hackers can kill guest machines and encrypt crucial hypervisor files,” according to Delamotte. Enterprises running VMware’s ESXi are advised to have strict and effective access controls, particularly on management access. Good role-based access controls and multifactor authentication (MFA) wherever possible on any service account are essential in protecting against attacks.
Conclusion
The use of leaked Babuk code to develop malicious payloads aimed at ESXi hypervisors is a worrying trend. It emphasizes the importance of having appropriate security measures in place, including strict access controls and MFA, to protect critical systems and networks against cyberattacks. As the threat of ransomware continues to grow, it is vital that organizations take appropriate steps to secure their digital infrastructure to prevent becoming the next victim.
<< photo by Muha Ajjan >>
You might want to read !
- “IRS collaborates with Ukraine to trace hidden assets of Russian oligarchs using cryptocurrencies”
- Law Firm Whiteford Taylor & Preston LLP Discloses Data Breach Incident
- “Uncoiling the Threat: FBI Dismantles Russian FSB’s ‘Snake’ Malware Network”
- “Building a Strong Foundation: How FPGAs Are Paving the Way for Cyber Resiliency Integration”
- “Intel Boot Guard Key Leak Raises Long-Term Security Concerns”
- “Uncovering the Dark Side of Genomic Technology: The Alarming Vulnerability of DNA Sequencing Equipment to Cyber Attacks”
