Threat Actors Use Babuk Code to Build Hypervisor Ransomware

Written by

An increasing number of threat actors have been observed using the leaked Babuk code from 2021 to create a new form of ransomware targeting VMware ESXi hypervisor environments.

According to an advisory published by SentinelOne earlier today, these novel variants emerged between 2022 and 2023, showing an increasing trend of Babuk source code adoption.

The researchers also said that malware tools built using the leaked source code enabled individuals to attack Linux systems even if they do not have the skills to create a functional program from scratch.

“Due to the prevalence of ESXi in on-prem and hybrid enterprise networks, these hypervisors are valuable targets for ransomware,” wrote SentinelOne cybersecurity expert Alex Delamotte.

“Over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil.”

Read more on Black Basta attacks and techniques here: Black Basta Deploys PlugX Malware in USB Devices With New Technique

“These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files,” Delamotte added.

After analyzing the leaked Babuk source code, SentinelOne discovered similarities with ESXi lockers linked to Conti and REvil. 

“We also compared them to the leaked Conti Windows locker source code, finding shared, bespoke function names and features.”

In addition to these known groups, SentinelOne found smaller ransomware operations using the Babuk source code to generate more recognizable ESXi lockers. 

“Ransom House’s Mario and a previously undocumented ESXi version of Play Ransomware comprise a small handful of the growing Babuk-descended ESXi locker landscape,” reads the advisory.

According to SentinelOne, the fact that threat actors with fewer resources are also using the Babuk code particularly indicates this trend’s growth.

“Based on the popularity of Babuk’s ESXi locker code, actors may also turn to the group’s Go-based NAS locker. Golang remains a niche choice for many actors, but it continues to increase in popularity,” Delamotte concluded.

“The targeted NAS systems are also based on Linux. While the NAS locker is less complex, the code is clear and legible, which could make ransomware more accessible for developers who are familiar with Go or similar programming languages.”

Go was also recently used by DragonSpark threat actors, according to a separate SentinelOne advisory from January.

Editorial image credit: IgorGolovniov /

What’s hot on Infosecurity Magazine?