Ransomware attacks on VMware ESXi systems have increased significantly in recent years. According to a recent report, the leak of Babuk ransomware's source code in September 2021 has given birth to multiple ransomware families. This rapid adoption of the source code allowed novice attackers to create their own ransomware strains without any malware development expertise.
The leaked source code to blame
The SentinelOne report reveals that between H2 2022 and H1 2023, threat actors have reportedly developed at least nine different ransomware strains that specifically target ESXi hosts - all based on Babuk's leaked source code.
Among the new ransomware strains, at least three (Cylance, Rorschach, and RTM Locker) were developed using a major portion of Babuk source code.
The report also highlights similarities between Babuk's source code and the ESXi encrypters used by Conti and REvil, indicating some connection between them.
Other ransomware strains targeting ESXi servers
While the leak of Babuk’s source code has led to a boost in the ransomware targeting ESXi hypervisors, researchers noticed other unique ESXi ransomware families not linked to Babuk.
Some key ransomware families are ALPHV, Hive, LockBit's ESXi lockers, and Black Basta.
Researchers further found some similarities between ESXiArgs and Babuk, however, it is limited to the use of the same open-source encryption implementation Sosemanuk. The main encrypter functions in the two malware are entirely different.
Conclusion
Since a large number of ransomware groups are already developing affinity toward the ESXi platform, it would not be right to infer that Babuk’s code leak has alone led to this boost in ESXi-based malware. However, researchers see a possibility that multiple groups, including Babuk, Conti, and REvil had outsourced their development tasks to the same group of developers. Adversaries are known to share malicious code among themselves, like in some open-source development projects. In any case, increasing affinity toward ESXi is an ever-growing concern for the security community.