The 2021 Babuk source code leak is giving more ransomware actors of varying sophistication and expertise the ability to target Linux systems.
A new report from SentinelLabs shows that more threat actors are adopting the source code, which was stolen and leaked on a Russian hacking forum in September 2021. In the second half of 2022 and first half of 2023, researchers identified nine ransomware groups using VMware ESXi lockers based on the leaked code.
“There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware,” said researchers with SentinelLabs in a Thursday analysis. “This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code.”
Babuk was one of the earlier threat groups that targeted the ESXi platform. However, over time threat groups have increased their targeting of hypervisors due to their popularity across on-prem and hybrid enterprise environments. Other researchers over the past year have also discovered new ransomware families that rely on the leaked Babuk code. Last year, researchers with ReversingLabs analyzed a new variant of the AstraLocker ransomware that is a fork of the Babuk ransomware-as-a-service, for instance.
After the leak, researchers said they recently found overlap between the Babuk code and ESXi lockers that are attributed to bigger players, like Conti and REvil. They also found several smaller ransomware families relying on the leaked source code, such as the Mario ransomware used by Ransom House and a (previously unreported) ESXi version of the Play ransomware.
These smaller groups may not have the resources or expertise to target Linux systems, and using the leaked code means they do not need to make big or timely investments in order to infect victims. On the other hand, researchers noted that other big ransomware actors - like ALPHV, Black Basta, Hive and Lockbit - have targeted Linux devices with ESXi lockers that show no “obvious similarity” to Babuk.
The ties between Conti, REvil and Babuk, however, reveal several possibilities, said researchers. The groups may have outsourced an ESXi locker project to the same developer, for instance. Regardless, the increasing adoption of leaked source code shows how attribution is getting more muddled as more ransomware groups outsource, share and leak code.
“The talent pool for Linux malware developers is surely much smaller in ransomware development circles, which have historically held demonstrable expertise in crafting elegant Windows malware,” said researchers. “Ransomware groups have experienced numerous leaks, so it is plausible smaller leaks occurred within these circles. Additionally, actors may share code to collaborate, similar to open-sourcing a development project.”
Researchers think that more threat actors will increasingly use the Babuk builder to create ransomware targeting the ESXi platform. In addition, based on the popularity of Babuk’s ESXi locker code, threat actors may also use the group’s Go-based version of its locker that targets network attached storage (NAS) devices.
“Golang remains a niche choice for many actors, but it continues to increase in popularity,” said researchers. “The targeted NAS systems are also based on Linux. While the NAS locker is less complex, the code is clear and legible, which could make ransomware more accessible for developers who are familiar with Go or similar programming languages.”