Over the past year, 10 different ransomware families have utilized leaked Babuk source code to develop lockers for VMware ESXi hypervisors.
Hypervisors are programs used to run multiple virtual machines (VMs) on a single server. By targeting ESXi, hackers may be able to infect multiple VMs in an enterprise environment more directly than they could through conventional means.
A few of the Babuk-based ESXi ransomwares are associated with major threat actors like Conti and REvil. And according to Alex Delamotte, senior threat researcher at SentinelOne, a majority of them have been utilized in real-world attacks in recent months.
“It looks like it’s an effective model,” says Delamotte, who published the new research this week. “As long as they stay profitable, hackers are going to keep using these lockers. And it does seem like they work.”
How We Got Here
Babuk was a popular though imperfect ransomware-as-a-service (RaaS) offering, first circulated in early 2021.
In September 2021, its business model was interrupted when one of the original creators had a moment of reckoning. “One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer,” vx-underground, a repository for malware source code, wrote in a tweet. “He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS.”
Babuk As a Baseline
Since then, threat actors have been using Babuk’s various leaked tools as a baseline for crafting new malicious payloads.
For instance, in their report published May 4, researchers from Sentinel Labs identified significant overlaps between the Babuk ESXi ransomware builder and ten other ransomware families: Cylance, Dataf Locker, Lock4, Mario, Play, Rorschach, RTM Locker, XVGV, RHKRC — closely associated with the REvil group’s Revix locker — and “Conti POC” — a proof of concept from the notorious and now largely defunct ransomware group.
Delamotte says Mario, Rorschach, XVGV, and Conti POC have all been utilized in attacks already, and users on Bleeping Computer forums have reported being victim to Dataf Locker and Lock4.
Why Hackers Target ESXi
VMware ESXi, a “bare metal” hypervisor, uses no operating system as a buffer (“bare metal”), instead interfacing directly with logic hardware. It’s installed directly onto a physical server with unfettered access and control over the machine’s underlying resources.
All of this is what makes ESXi a powerful platform for IT administrators and, by the same token, hackers. Bad actors can aim to hit multiple VMs running on a single virtual server, utilizing “built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files,” Delamotte explained in the report.
Enterprises running VMware’s ESXi need to be cautious, though the fix is straightforward.
“The most important thing is to ensure that any access — especially management access, to something like an ESXi hypervisor — is very limited,” Delamotte advises. “You want to have good role-based access controls and definitely MFA wherever possible on any service account.”
Strict, effective access controls should be enough to insulate the vulnerable. “I don’t really see any situation,” she says, “where somebody can move on to this kind of server without having admin privileges.”
