locks

A ransomware source code leak spawned at least 10 ‘Babuk’ imitators, researchers say

Cybersecurity researchers said they’ve identified ten different ransomware families that have recently branched off from Babuk — a ransomware strain that had its source code leaked online in 2021.

Ransomware experts have long warned of hackers making improvements on leaked source code belonging to popular ransomware brands like LockBit, Conti and REvil. In research released on Thursday, SentinelLabs said nearly a dozen groups have developed their own malware based on Babuk.

In June 2021, the builder for the Babuk Locker ransomware was leaked online, allowing easy access to an advanced ransomware strain for any would-be criminal group looking to get into the ransomware scene with little to no development effort.

The Babuk Locker "builder" is especially attractive to hackers because it can be used to create custom versions of the Linux-based Babuk Locker ransomware that can be used to target ESXi servers, which are popular among large corporations and businesses.

“Over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil,” SentinelLabs’ Alex Delamotte said. “These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.”

Delamotte said the 10 variants they discovered emerged in the second half of 2022 and the first half of 2023, showing “an increasing trend of Babuk source code adoption.”

SentinelLabs found overlaps between the leaked Babuk source code and ESXi lockers from several well known ransomware groups like Conti, REvil, Play and Ransom House – all of which have been behind some of the most devastating cyberattacks seen over the last two years.

Smaller ransomware groups also used the Babuk source code to generate ESXi lockers for themselves as well.

SentinelLabs compiled what they called a “baseline” Babuk in order to compare it to the other versions floating around the internet. They found dozens of ties, including the way the ransomware encrypted documents and code similarities.

The Play ransomware group’s version included the same file searching functionality as Babuk, something Ransom House’s Mario ransomware also adopted.

SentinelLabs found several versions used by the Conti group, which Delamotte said had trouble getting their ESXi locker to work. Some versions developed by Conti were more mature than the baseline Babuk locker despite sharing similar functions.

Delamotte noted that while there are “undoubtedly more Babuk offspring that slipped under the radar,” several other unique ESXi ransomware families have emerged recently from gangs like ALPHV, BlackBasta, Hive, and Lockbit.

The researchers added that there were almost no similarities between Babuk and ESXiArgs – which caused alarm in February after more than 3,800 organizations across the United States, France, Italy were attacked. Some at the time erroneously blamed Babuk for the string of attacks – which included Florida's Supreme Court, the Georgia Institute of Technology, Rice University.

DC-Police-Babuk-1.png
Babuk shut down shortly after it attacked Washington D.C.'s Metropolitan Police Department.

Babuk was one of the most prolific ransomware groups operating before it attacked Washington D.C.'s Metropolitan Police Department and eventually shut down.

Several cybersecurity experts backed SentinelLabs’ findings more broadly, noting that ransomware groups are often cribbing tactics and features to add to their own malware.

Recorded Future ransomware expert Allan Liska said the report is an illustration of what he calls “franken-ransomware.”

“Most ‘new’ ransomware today is just built on leaked code from older ransomware. For example, between January 1 and April 30th this year, Recorded Future identified 88 ‘new’ ransomware variants,” he said. “Most of those were just recycled code. Not just Babuk, but Chaos, Conti, REvil and LockBit among others.”

After the leak of the source code for LockBit’s ransomware, Liska said his team found more than 150 “new” ransomware groups throughout 2022, with most of them using stolen Conti or REvil code. The Record is an editorially independent unit of Recorded Future.

Delinea chief security scientist Joseph Carson added that recently VMWare ESXi has had several notable vulnerability disclosures and patches. This, he said, might be why attackers have an increased interest in targeting those environments.

The added focus on ESXi has also come in a time of volatility in ransomware groups themselves between leaked code and the impacts of geopolitical conflict, explained Netenrich’s John Bambenek.

Due to the cybercriminal climate, Bambenek said many threat actors have to simply repurpose tools already out there compared to writing their own.

“It becomes a challenge for defenders because even though we now have access to the original attack code, there will be more iterations of it that we'll have to counter and the new variants will be harder to associate with a specific threat group,” Vulcan Cyber senior technical engineer Mike Parkin.

“While the Babuk leak may have hurt that specific group, it became an opportunity for other threat actors to incorporate new tools and techniques into their own attacks.”

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.