Security experts claim to have discovered ten distinct ransomware families that have recently diverged from Babuk, a ransomware outbreak whose source code was exposed online in 2021.
Hackers have been using leaked source code from well-known ransomware firms like LockBit, Conti, and REvil for years, experts in the field have long warned. SentinelLabs claimed in research made public on Thursday that about a dozen organisations have created their own malware based on Babuk.
The Babuk Locker ransomware builder was made publicly available online in June 2021, making it simple for any would-be criminal organisation to enter the ransomware market with little to no development work.
Hackers are drawn to the Babuk Locker "builder" because it allows them to make unique variations of the Linux-based Babuk Locker ransomware that can be used to attack the common ESXi servers used by big organisations and corporations.
“Over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil,” SentinelLabs’ Alex Delamotte stated. “These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.”
According to Delamotte, the ten versions they found appeared in the second half of 2022 and the first part of 2023, indicating "an increasing trend of Babuk source code adoption."
SentinelLabs discovered connections between the stolen Babuk source code and the ESXi lockers of numerous well-known ransomware organisations, including Conti, REvil, Play, and Ransom House, which have all been linked to some of the most damaging intrusions in the past two years.
In order to create ESXi lockers for themselves, smaller ransomware organisations have adopted the Babuk source code.
To contrast it to the other versions of the Babuk that are available online, SentinelLabs created what they referred to as a "baseline" Babuk. The way the malware encrypted documents and coding resemblances were among the numerous connections they discovered.
The researchers also noted that Babuk and ESXiArgs, which raised concerns in February after more than 3,800 organisations in the US, France, and Italy were attacked, hardly had any similarities. At the time, some falsely accused Babuk of being responsible for the series of attacks that targeted Rice University, the Georgia Institute of Technology, and the Supreme Court of Florida.