Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs

Two years ago, a popular ransomware-as-a-service groups source code got leaked. Now other ransomware groups are using it for their own purposes.

Over the past year, 10 different ransomware families have utilized
leaked Babuk source code
to develop lockers for VMware ESXi hypervisors.
Hypervisors are programs used to run multiple virtual machines (VMs) on a single server. By targeting ESXi, hackers may be able to infect multiple VMs in an enterprise environment more directly than they could through conventional means.
A few of the Babuk-based ESXi ransomwares are associated with major threat actors like Conti and REvil. And according to Alex Delamotte, senior threat researcher at SentinelOne, a majority of them have been utilized in real-world attacks in recent months.
It looks like its an effective model, says Delamotte, who published the new research this week. As long as they stay profitable, hackers are going to keep using these lockers. And it does seem like they work.
Babuk was a popular
though imperfect ransomware-as-a-service
(RaaS) offering, first circulated in early 2021.
In September 2021,
its business model was interrupted
when one of the original creators had a moment of reckoning. One of the developers for Babuk ransomware group, a 17 year old person from Russia, has been diagnosed with Stage-4 Lung Cancer, vx-underground, a repository for malware source code,
wrote in a tweet
. He has decided to leaked the ENTIRE Babuk source code for Windows, ESXI, NAS.
Since then, threat actors have been using Babuks various leaked tools as a baseline for crafting new malicious payloads.
For instance, in their report published May 4, researchers from Sentinel Labs identified significant overlaps between the Babuk ESXi ransomware builder and ten other ransomware families: Cylance, Dataf Locker, Lock4, Mario, Play, Rorschach, RTM Locker, XVGV, RHKRC — closely associated with
the REvil groups Revix locker
— and Conti POC — a proof of concept from the
notorious and now largely defunct ransomware group
.
Delamotte says Mario, Rorschach, XVGV, and Conti POC have all been utilized in attacks already, and users on Bleeping Computer forums have reported being victim to Dataf Locker and Lock4.
VMware ESXi, a bare metal hypervisor, uses no operating system as a buffer (bare metal), instead interfacing directly with logic hardware. Its installed directly onto a physical server with unfettered access and control over the machines underlying resources.
All of this is what makes ESXi a powerful platform for IT administrators and, by the same token, hackers. Bad actors can aim to hit multiple VMs running on a single virtual server, utilizing built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files, Delamotte explained in the report.
Enterprises running VMwares ESXi need to be cautious, though the fix is straightforward.
The most important thing is to ensure that any access — especially management access, to something like an ESXi hypervisor — is very limited, Delamotte advises. You want to have good role-based access controls and definitely MFA wherever possible on any service account.
Strict, effective access controls should be enough to insulate the vulnerable. I dont really see any situation, she says, where somebody can move on to this kind of server without having admin privileges.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs