Creation of 9 New Extortion Programs Aimed at VMware ESXI Following Babuk Code Leaks

Several hacker groups have utilized the Babuk extortion code leakage to create nine different variants of malicious programs that can target VMware ESXI systems since September 2021.

In the second half of 2022 and the first half of 2023, new options have emerged, indicating an increase in hackers utilizing the Babuk source code, according to Sentinelone IB companies. Attackers can now target Linux systems, even without enough programming expertise of their own, thanks to the leaked source code. The various hacker groups concentrated on ESXI hypervisors, and at least three malware families, Cylance, Rorschach (Bablock), and RTM Locker, are based on the Babuk source code.

Lock4, Dataf, Mario, Play and Babuk 2023 (XVGV) are also Ensembled Families that have integrated multiple Babuk functions into their code. Sentinelone researchers noted that, unlike Esxiargs, Babuk and their programs have no common indications of conformity. However, Sentinelone found similarities between Babuk’s malicious source code and CONTI and Revil programs targeted at ESXI. On the other hand, there were no matches between Babuk code and Alphv, Black Basta, Hive, and Lockbit.

/Reports, release notes, official announcements.