www.sentinelone.com
Open in
urlscan Pro
104.26.2.18
Public Scan
URL:
https://www.sentinelone.com/labs/hypervisor-ransomware-multiple-threat-actor-groups-hop-on-leaked-babuk-code-to-build-esxi-l...
Submission: On May 12 via api from TR — Scanned from DE
Submission: On May 12 via api from TR — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<span class="light">
<img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon-white.svg">
<img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close.svg">
</span>
<span class="dark">
<img class="icon-search" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg">
<img class="icon-down" src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg">
</span>
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1610934141">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="https://www.sentinelone.com/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form id="mktoForm_2673" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft bf_form_init" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;" bf_offer_id="1610961016">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="https://www.sentinelone.com/legal/privacy-policy/">Privacy Policy</a>. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties.</div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2673"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
* * * ABOUT * CVE DATABASE * CONTACT * VISIT SENTINELONE.COM en * English * 日本語 * Deutsch * Español * Français * Italiano * Dutch * 한국어 Back * ABOUT * CVE DATABASE * CONTACT * VISIT SENTINELONE.COM Crimeware HYPERVISOR RANSOMWARE | MULTIPLE THREAT ACTOR GROUPS HOP ON LEAKED BABUK CODE TO BUILD ESXI LOCKERS Alex Delamotte / May 11, 2023 EXECUTIVE SUMMARY * SentinelLabs identified 10 ransomware families using VMware ESXi lockers based on the 2021 Babuk source code leaks. * These variants emerged through H2 2022 and H1 2023, which shows an increasing trend of Babuk source code adoption. * Leaked source code enables actors to target Linux systems when they may otherwise lack expertise to build a working program. * Source code leaks further complicate attribution, as more actors will adopt the tools. BACKGROUND Throughout early 2023, SentinelLabs observed an increase in VMware ESXi ransomware based on Babuk (aka Babak, Babyk). The Babuk leaks in September 2021 provided unprecedented insight into the development operations of an organized ransomware group. Due to the prevalence of ESXi in on-prem and hybrid enterprise networks, these hypervisors are valuable targets for ransomware. Over the past two years, organized ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil. These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files. We identified overlap between the leaked Babuk source code and ESXi lockers attributed to Conti and REvil, with iterations of the latter sharply resembling one another. We also compared them to the leaked Conti Windows locker source code, finding shared, bespoke function names and features. In addition to these notorious groups, we also found smaller ransomware operations using the Babuk source code to generate more recognizable ESXi lockers. Ransom House’s Mario and a previously undocumented ESXi version of Play Ransomware comprise a small handful of the growing Babuk-descended ESXi locker landscape. BABUK BACKGROUND Babuk was one of the early players in the ESXi ransomware space. The group’s longevity was crippled in 2021 when a Babuk developer leaked the builder source code for Babuk’s C++-based Linux Executable & Linkable Format (ELF) ESXi, Golang-based Network Attached Storage (NAS), and C++-based Windows ransomware tooling. Through early 2022, there were few indications that actors had adapted the leaked Babuk source code, aside from a short-lived ‘Babuk 2.0’ variant and the occasional new Windows ransomware du jour. As cybercrime research is often laser-focused on Windows, Linux trends can develop under the radar. SentinelLabs identified Babuk-descended ransomware through the string Doesn’t encrypted files: %d\n in the source code’s /бабак/esxi/enc/main.cpp. Unique strings in Babuk source code main.cpp The Babuk builder specifies a file name for the newly generated binary, e_esxi.out. Several samples we identified share a similar naming convention: Ransomware Family File Name Mario emario.out Play e_esxi.out Babuk 2023 aka XVGV RansomWare-e_esxi-XVGV2.out For encryption, ESXi Babuk uses an implementation of the Sosemanuk stream cipher to encrypt targeted files, in contrast with Babuk for Windows, which uses the HC-128 cipher. Both ESXi and Windows Babuk use Curve25519-Donna to generate the encryption key. GENERATIONS OF BABUK COMPARISON METHODOLOGY SentinelLabs compiled an unstripped Babuk binary to establish a baseline of how Babuk looks and behaves, referred to henceforth as ‘Baseline Babuk.’ To understand whether the variants we identified are related to Babuk, we compared each variant to this Baseline Babuk sample and highlighted notable similarities and differences. BABUK 2023 (.XVGV) SHA1: e8bb26f62983055cfb602aa39a89998e8f512466 XVGV, aka Babuk 2023, emerged in March 2023 on Bleeping Computer’s forum as highlighted by @malwrhunterteam. Baseline Babuk and XVGV share code derived from main.cpp, argument processing functions from args.cpp, and encryption implementation. Like Babuk, XVGV requires the operator to provide a directory to encrypt as an argument. During dynamic analysis, we provided the test system’s user directory. On the first run, the sample generated a ransom note, HowToRestore.txt, in all child directories. However, only six files were encrypted, each with either .log or .gz file extensions. Looking at the file extension inclusions reveals why the damage was limited: XVGV targets VMware-centric files and excludes those which do not match a designated list. This is a behavior shared with Baseline Babuk, though the XVGV author added more file extensions. XVGV .rodata segment references to file extensions (left) and Babuk source code equivalent PLAY (.FINDOM) SHA1: dc8b9bc46f1d23779d3835f2b3648c21f4cf6151 This file references the file extension .FinDom, as well as the ransom email address findomswitch@fastmail.pw, which are artifacts associated with Play Ransomware. This is the first known version of Play built for a Linux system, which aligns this actor with the trend of ransomware groups increasingly targeting Linux. Play contains the same file searching functionality as Baseline Babuk; it also implements encryption using Sosemanuk. Baseline Babuk (left) and Play disassembly of a ransom note construction function The Play binary was submitted to VirusTotal as part of an archive (SHA1: 9290478cda302b9535702af3a1dada25818ad9ce) containing various hack tools and utilities–including AnyDesk, NetCat, a privilege escalation batch file, and encoded PowerShell Empire scripts–which are associated with ransomware group techniques after achieving initial access. MARIO (.EMARIO) SHA1: 048b3942c715c6bff15c94cdc0bb4414dbab9e07 Mario ransomware is operated by Ransom House, a group that emerged in 2021. Ransom House initially claimed that they target vulnerable networks to steal data without encrypting files. However, the group has since adopted cryptographic lockers. The samples share a very similar find_files_recursive function, including the default ransom note filename How To Restore Your Files.txt. The encryption functions are also the same. The verbose ransom note content is the most unique part of Mario’s ESXi locker. The Ransom House actors provide very explicit instructions to the victim explaining what to do and how to contact the actors. Mario strings show default Babuk logging messages and the ransom note CONTI POC (.CONTI) Conti POC – SHA1: 091f4bddea8bf443bc8703730f15b21f7ccf00e9 Conti ESXi Locker – SHA1: ee827023780964574f28c6ba333d800b73eae5c4 To our surprise, the Babuk hunt identified several binaries internally called ‘Conti POC,’ likely short for ‘proof of concept,’ which were documented in a September 2022 campaign against entities in Mexico. Conti was a notoriously well-organized and ruthless ransomware group. Leaks revealed Conti’s organizational structure resembles many legitimate companies more than a criminal enterprise: the operation employed middle management and a human resources department. Chat history leaks circa early 2021 revealed that Conti had trouble getting their ESXi locker to work. We compared several iterations of Conti and Babuk to assess a connection. Conti ESXi emerged in April 2022, which could mean that Conti implemented Babuk code after it was leaked in September 2021 and ultimately got the locker to work. * Conti POC & Conti ESXi Locker: The Conti POC is less mature, which aligns with being a ‘proof of concept.’ Conti POC and Conti ESXi share many function names and behaviors, including the same argument processing functions and conditions. We conclude these samples are related, and that Conti POC is a likely predecessor to Conti’s ESXi locker. Side-by-side view of Conti ESXi (left) and the Conti POC Babuk descendant argument processing * Conti POC & Baseline Babuk: The Conti POC SearchFiles and Baseline Babuk find_files_recursive functions are remarkably similar, containing the same file status variable names. Conti ported certain parts of this function to other local modules, demonstrating more maturity than Baseline Babuk. These two also share a similar main function, suggesting these families are also related and that Conti POC is a more mature evolution of Baseline Babuk. find_files_recursive in Baseline Babuk (left) and SearchFiles in Conti POC * Comparing to Conti Leaked Windows Code: There are considerable overlaps in utility as well as function names between both Linux versions of Conti (POC and ESXi) and the leaked Windows Conti code. Both versions use the same open-source ChaCha encryption implementation. The leaked Conti Windows code contains commented-out references to HandleCommandLine, a function seen in the other Conti variants we analyzed, and several shared arguments to parse, such as prockiller. It is possible that a developer aligned function names between the Windows version and the ESXi locker in aspiration of feature parity. Conti ESXi (left) and Windows main.cpp HandleCommandLine function REVIL AKA REVIX (.RHKRC) RHKRC – SHA1: 74e4b2f7abf9dbd376372c9b05b26b02c2872e4b Revix June 2021 – SHA1: 29f16c046a344e0d0adfea80d5d7958d6b6b8cfa We identified a Babuk-like sample internally called RHKRC, which appends the .rhkrc extension to filenames, a behavior associated with the REvil group’s “Revix” ESXi locker. Interestingly, reports of Revix in-the-wild date back to June 2021, which predates the September 2021 Babuk source code leaks. To understand where this fits in the development timeline, we compared several iterations of related activity: * RHKRC & Conti POC: Surprisingly similar, these versions both implement encryption identically through ChaCha20 as outlined above. They share a nearly identical, otherwise unique InitializeEncryptor function. These samples are related. InitializeEncryptor functions from RHKRC (left) and Conti POC EncryptFull functions from RHKRC (left) and Conti POC * RHKRC & Baseline Babuk: These samples share many function names, including Babuk’s native thread pooling. However, RHKRC implements encryption differently, and it has more bespoke ESXi CLI activity. We assess that these samples are related, though RHKRC is more mature despite also being in the ‘proof of concept’ stage. * RHKRC & June 2021 Revix: We compared RHKRC with Revix from June 2021 in-the-wild activity. Revix is much more mature and contains dynamic code deobfuscation measures unseen in other variants analyzed. RHKRC and Revix share the same internal filename (elf.exe), ransom note name, and appended file extension. However, these similarities are mainly cosmetic, and we are unable to conclude if a definitive connection exists. Any theories about these coincidences amounts to conjecture. HONORABLE MENTION SentinelLabs notes there are several other known families descended from the Babuk ESXi source code, including: * Cylance ransomware (unrelated to the security company of the same name) * Dataf Locker * Rorschach aka BabLock * Lock4 * RTM Locker (per Uptycs) While there are undoubtedly more Babuk offspring that slipped under the radar, there are other unique ESXi ransomware families. A cursory glance at ALPHV, BlackBasta, Hive, and Lockbit’s ESXi lockers shows no obvious similarity to Babuk. Babuk is occasionally blamed in error, too. Reports on the February ESXiArgs campaign–which briefly devastated some unpatched cloud services–claim the eponymous locker is derived from Babuk. However, our analysis found little similarity between ESXiArgs (SHA1: f25846f8cda8b0460e1db02ba6d3836ad3721f62) and Babuk. The only noteworthy similarity is the use of the same open-source Sosemanuk encryption implementation. The main function is entirely different, as shown below. ESXiArgs also uses an external shell script to search files and provide arguments to the esxcli, so there is native no find_files_recursive function to compare. ESXiArgs main function CONCLUSION SentinelLabs’ analysis identified unexpected connections between ESXi ransomware families, exposing likely relationships between Babuk and more illustrious operations like Conti and REvil. While ties to REvil remain tentative, the possibility exists that these groups–Babuk, Conti, and REvil–potentially outsourced an ESXi locker project to the same developer. The talent pool for Linux malware developers is surely much smaller in ransomware development circles, which have historically held demonstrable expertise in crafting elegant Windows malware. Ransomware groups have experienced numerous leaks, so it is plausible smaller leaks occurred within these circles. Additionally, actors may share code to collaborate, similar to open-sourcing a development project. There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware. This is particularly evident when used by actors with fewer resources, as these actors are less likely to significantly modify the Babuk source code. Based on the popularity of Babuk’s ESXi locker code, actors may also turn to the group’s Go-based NAS locker. Golang remains a niche choice for many actors, but it continues to increase in popularity. The targeted NAS systems are also based on Linux. While the NAS locker is less complex, the code is clear and legible, which could make ransomware more accessible for developers who are familiar with Go or similar programming languages. INDICATORS OF COMPROMISE Ransomware Family SHA1 Baseline Babuk (.babyk) b93d649e73c21efea10d4d811b711316206c0509 Babuk Leaks Binary – d_esxi.out cd19c2741261de97e91943148ba8c0863567b461 Babuk Leaks Binary – e_esxi.out 885a734c7869b52aa125674cb430199b2645cda0 Babuk 2023 (.XVGV) e8bb26f62983055cfb602aa39a89998e8f512466 Play ESXi (.FinDom) dc8b9bc46f1d23779d3835f2b3648c21f4cf6151 Play ESXi Compressed Parent 9290478cda302b9535702af3a1dada25818ad9ce Rorschach aka Bablock (.slpqne) 76fb0d08fd5b9c52cb9da118ce5561cc0462555f Mario (.emario) 048b3942c715c6bff15c94cdc0bb4414dbab9e07 Conti POC (.conti) 091f4bddea8bf443bc8703730f15b21f7ccf00e9 Conti ESXi (.conti) ee827023780964574f28c6ba333d800b73eae5c4 RHKRC (.rhkrc) 74e4b2f7abf9dbd376372c9b05b26b02c2872e4b RHKRC (.rhkrc) 29f16c046a344e0d0adfea80d5d7958d6b6b8cfa Cylance Ransomware (.cylance) 933ad0a7d9db57b92144840d838f7b10356c7e51 Dataf Locker (.dataf) 71ed640ebd8377f52bda4968398c62c97ae1c3ed Lock4 Ransomware (.lock4) 3b1a2847e006007626ced901e402f1a33bb800c7 Ransomware SHARE PDF ALEX DELAMOTTE Alex's passion for cybersecurity is humbly rooted in the early aughts, when she declared a vendetta against a computer worm. Over the past decade, Alex has worked with blue, purple, and red teams serving companies in the technology, financial, pharmaceuticals, and telecom sectors and she has shared research with several ISACs. Alex enjoys researching the intersection of cybercrime and state-sponsored activity. She relentlessly questions why actors pivot to a new technique or attack surface. In her spare time, she can be found DJing or servicing her music arcade games. Prev KIMSUKY EVOLVES RECONNAISSANCE CAPABILITIES IN NEW GLOBAL CAMPAIGN RELATED POSTS ICEFIRE RANSOMWARE RETURNS | NOW TARGETING LINUX ENTERPRISE NETWORKS March 09 2023 CL0P RANSOMWARE TARGETS LINUX SYSTEMS WITH FLAWED ENCRYPTION | DECRYPTOR AVAILABLE February 07 2023 MALVIRT | .NET VIRTUALIZATION THRIVES IN MALVERTISING ATTACKS February 02 2023 SEARCH Search ... SIGN UP Get notified when we post new content. * Subscribe By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent your personal data to third parties. Thanks! Keep an eye out for new content! RECENT POSTS * Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign May 4, 2023 * Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector April 13, 2023 * Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife March 30, 2023 LABS CATEGORIES * Crimeware * Security Research * Advanced Persistent Threat * Adversary * Security & Intelligence * LABScon SENTINELLABS In the era of interconnectivity, when markets, geographies, and jurisdictions merge in the melting pot of the digital domain, the perils of the threat ecosystem become unparalleled. Crimeware families achieve an unparalleled level of technical sophistication, APT groups are competing in fully-fledged cyber warfare, while once decentralized and scattered threat actors are forming adamant alliances of operating as elite corporate espionage teams. LATEST TWEET * Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram -- by @philofishal https://t.co/I5Kc36mMRQ8 days ago * RT @spiderspiders_: Back in 2021, the Babuk source code leaks fascinated me. At the time, it was unprecedented ransomware drama. Like any…6 hours ago * New research from @spiderspiders_ https://t.co/2P3Q8yRB2t8 hours ago * Kimsuky APT Evolves Reconnaissance Capabilities in New Global Campaign -- By @TomHegel @milenkowski https://t.co/6rXlKh6cMQ7 days ago * Atomic Stealer | Threat Actor Spawns Second Variant of macOS Malware Sold on Telegram -- by @philofishal https://t.co/I5Kc36mMRQ8 days ago * RT @spiderspiders_: Back in 2021, the Babuk source code leaks fascinated me. At the time, it was unprecedented ransomware drama. Like any…6 hours ago RECENT POSTS * Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign May 4, 2023 * Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector April 13, 2023 * Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife March 30, 2023 SIGN UP Get notified when we post new content. * Subscribe By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne Privacy Policy. SentinelOne will not sell, trade, lease, or rent your personal data to third parties. Thanks! Keep an eye out for new content! * Twitter * LinkedIn ©2023 SentinelOne, All Rights Reserved. PRIVACY PREFERENCE CENTER When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer. More information Allow All MANAGE CONSENT PREFERENCES FUNCTIONAL COOKIES Functional Cookies These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly. STRICTLY NECESSARY COOKIES Always Active These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. PERFORMANCE COOKIES Performance Cookies These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance. TARGETING COOKIES Targeting Cookies These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. Back Button Back Vendor Search Search Icon Filter Icon Clear checkbox label label Apply Cancel Consent Leg.Interest checkbox label label checkbox label label checkbox label label Confirm My Choices By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. Cookies Settings Accept All Cookies word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word word mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 mmMwWLliI0fiflO&1 We'd like to show you notifications for the latest news and updates. AllowCancel