SentinelOne warns of increase in attacks targeting VMWare ESXi
SentinelOne has issued a warning regarding an increase in the number of new ransomware families created exclusively for VMware ESXi systems. These dangerous apps are based on the circulating Babuk source code.
The Babuk ransomware family, first discovered in January 2021, swiftly garnered prominence for its attacks on several organizations. However, one of the malware’s operators posted the malware’s source code online in September 2021. This breach proved pivotal, allowing security researchers to create a free decryption tool in less than two months.
Threat actors have used the released source code to generate a slew of new ransomware strains. Among them are RTM Locker, Rook, and Rorschach (also known as BabLock), which are all capable of attacking ESXi servers running both Windows and Linux.
According to SentinelOne, at least ten unique ransomware families have formed in the last year, exploiting the Babuk source code to particularly target VMware ESXi machines. In addition, the code has been taken by smaller ransomware operations such as House’s Mario, Play, Cylance, Dataf Locker, Lock4, and XVGV. Worryingly, well-known ransomware gangs such as Alphv/BlackCat, Black Basta, Conti, Lockbit, and REvil have been detected targeting their assaults against ESXi deployments.
SentinelOne went on to explain that only the Conti and REvil ESXi lockers show overlaps with the leaked Babuk code. This shows a possible link between the two groups. According to the cybersecurity company, these ransomware activities may have outsourced an ESXi locker project to a common developer or used shared code for cooperation. Also, except for the usage of the same open-source Sosemanuk encryption technology, ESXiArgs locker shared little similarities with Babuk.
According to SentinelOne, threat actors are increasingly using the Babuk code as a base for creating ESXi and Linux lockers. Furthermore, it warns that attackers may adopt the Babuk group’s Go-based NAS locker in the future, as Golang, the programming language used for the NAS locker, is growing popularity among threat actors. Since the targeted NAS systems are mostly Linux-based, the use of the NAS locker may give attackers with an easy and effective tool for launching ransomware attacks.
However, the consequences of these assaults go beyond ESXi installations, as collaboration and code-sharing among different ransomware organizations illustrate the growing strategies used by hackers in their quest of financial gain.
The sources for this piece include an article in SecurityWeek.