Thursday, 11 May 2023 17:37

Because Sharing is Caring Why Shouldn’t Leaked Ransomware Code Not Get Reused?

Written by

Reading time is around minutes.

After a Leak of Babuk ransomware source code in late 2021 researchers have identified 9 separate new stains that are intended to target VMware ESXi. The new variants first started showing up in the 2cond half of 2022. As with ransomware as a service, having leaked source code allows less sophisticated attack groups to utilize the work of others to their advantage. In this case the targeting the Linux based ESXi. ESXi is a great target as it allows for the encryption of infrastructure and prevents the rapid restoration of systems since the infrastructure those servers run on is what has been affected.

At least three new strains of ransomware have popped up since the beginning of 2023 that can be tied to the Babuk source code. One of these, Cylance (not to be confused with the AI anti-malware company) can target both Windows and Linux systems and appears to be just in the development stages. Additional analysis by SentinelOne also shows correlations between Babuk and ESXi targeting ransomware from Conti and REvil. The list of stains that appear to be derived from Babuk does not end there with at least five more identified as of this writing.

The targeting of Linux has gained in popularity over the past couple of years and shows no sign of slacking off. The Royal ransomware group which may have formed from former members of the Conti group have developed an ELF variant of ransomware that can be used against Linux based systems, including ESXi.

Many of these new variants are deployed after establishing initial access via some other means (like dropping Cobalt Strike). From there the ransomware can be pushed out to the intended targets inside the organization. This means that organizations need to be even more vigilant when it comes to denying initial access. This includes extra safeguards against advanced phishing attacks and proper segmentation of networks for general use and administration (such as access to ESXi’s command console. Ransomware is still a serious threat and is only going to get more sophisticated in the coming months. The leak of Babuk now puts relatively sophisticated code in the hands of groups that might normally not be a direct threat. These groups will learn from this code and develop their own newer strains as the existing ones are identified and defenses are created. It is an ugly cycle and the pool of threat groups that can utilize ransomware is only growing.

Read 845 times

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.