At least three new strains of ransomware have popped up since the beginning of 2023 that can be tied to the Babuk source code. One of these, Cylance (not to be confused with the AI anti-malware company) can target both Windows and Linux systems and appears to be just in the development stages. Additional analysis by SentinelOne also shows correlations between Babuk and ESXi targeting ransomware from Conti and REvil. The list of stains that appear to be derived from Babuk does not end there with at least five more identified as of this writing.
The targeting of Linux has gained in popularity over the past couple of years and shows no sign of slacking off. The Royal ransomware group which may have formed from former members of the Conti group have developed an ELF variant of ransomware that can be used against Linux based systems, including ESXi.
Many of these new variants are deployed after establishing initial access via some other means (like dropping Cobalt Strike). From there the ransomware can be pushed out to the intended targets inside the organization. This means that organizations need to be even more vigilant when it comes to denying initial access. This includes extra safeguards against advanced phishing attacks and proper segmentation of networks for general use and administration (such as access to ESXi’s command console. Ransomware is still a serious threat and is only going to get more sophisticated in the coming months. The leak of Babuk now puts relatively sophisticated code in the hands of groups that might normally not be a direct threat. These groups will learn from this code and develop their own newer strains as the existing ones are identified and defenses are created. It is an ugly cycle and the pool of threat groups that can utilize ransomware is only growing.