SentinelLabs identified 10 ransomware families using VMware ESXi lockers derived from the 2021 Babuk leaks, showing a growing adoption of Babuk code for ESXi lockers. Leaked Babuk source enables actors to target Linux systems and complicates attribution as more groups adopt the tools. #Babuk #XVGV #Conti #REvil #Play #RansomHouse #ESXi #LinuxLocker
Keypoints
- SentinelLabs identified 10 ransomware families using VMware ESXi lockers based on Babuk leaks.
- Variants emerged through H2 2022 and H1 2023, signaling increasing adoption of Babuk-derived ESXi lockers.
- Leaked Babuk source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program.
- Source code leaks complicate attribution as more actors adopt the tools.
- There are notable overlaps between Babuk-descended ESXi lockers and Conti/REvil, including shared code and function names (e.g., Conti POC and Conti ESXi).
- Notable examples include Play (.FinDom), Mario (.emario), Conti POC/ESXi, and RHKRC; smaller operators such as Ransom Houseβs Mario are part of the landscape.
MITRE Techniques
- [T1083] File and Directory Discovery β The Conti POC and Baseline Babuk functions are remarkably similar, containing the same file status variable names. βThe Conti POC and Baseline Babuk functions are remarkably similar, containing the same file status variable names.β
- [T1059.003] Command-Line Interface β Like Babuk, XVGV requires the operator to provide a directory to encrypt as an argument. βLike Babuk, XVGV requires the operator to provide a directory to encrypt as an argument.β
- [T1486] Data Encrypted for Impact β For encryption, ESXi Babuk uses an implementation of the Sosemanuk stream cipher to encrypt targeted files, in contrast with Babuk for Windows, which uses the HC-128 cipher. βFor encryption, ESXi Babuk uses an implementation of the Sosemanuk stream cipher to encrypt targeted files, in contrast with Babuk for Windows, which uses the HC-128 cipher.β
Indicators of Compromise
- [SHA1] Baseline Babuk (.babyk) β b93d649e73c21efea10d4d811b711316206c0509
- [SHA1] Babuk Leaks Binary β d_esxi.out β cd19c2741261de97e91943148ba8c0863567b461
- [SHA1] Babuk Leaks Binary β e_esxi.out β 885a734c7869b52aa125674cb430199b2645cda0
- [SHA1] Babuk 2023 (.XVGV) β e8bb26f62983055cfb602aa39a89998e8f512466
- [SHA1] Play ESXi (.FinDom) β dc8b9bc46f1d23779d3835f2b3648c21f4cf6151
- [SHA1] Play ESXi Compressed Parent β 9290478cda302b9535702af3a1dada25818ad9ce
- [SHA1] Rorschach aka Bablock (.slpqne) β 76fb0d08fd5b9c52cb9da118ce5561cc0462555f
- [SHA1] Mario (.emario) β 048b3942c715c6bff15c94cdc0bb4414dbab9e07
- [SHA1] Conti POC (.conti) β 091f4bddea8bf443bc8703730f15b21f7ccf00e9
- [SHA1] Conti ESXi (.conti) β ee827023780964574f28c6ba333d800b73eae5c4
- [SHA1] RHKRC (.rhkrc) β 74e4b2f7abf9dbd376372c9b05b26b02c2872e4b
- [SHA1] RHKRC (.rhkrc) β 29f16c046a344e0d0adfea80d5d7958d6b6b8cfa
- [SHA1] Cylance Ransomware (.cylance) β 933ad0a7d9db57b92144840d838f7b10356c7e51
- [SHA1] Dataf Locker (.dataf) β 71ed640ebd8377f52bda4968398c62c97ae1c3ed
- [SHA1] Lock4 Ransomware (.lock4) β 3b1a2847e006007626ced901e402f1a33bb800c7