Leaked source code from cybercriminal gang Babuk is being used The malware has enabled criminals to target Linux systems, where they may have otherwise lacked the expertise to do so otherwise, according to an investigation The code is being used to target VMware ESXi hypervisors, which are deployed in both on-premises and hybrid working environments, making them valuable targets for ransomware. The Babuk source code-based malwares specifically target hypervisors running on Linux systems, according to SentinalLabs.
“Over the past two years, organised ransomware groups adopted Linux lockers, including ALPHV, Black Basta, Conti, Lockbit, and REvil,” the report says. “These groups focus on ESXi before other Linux variants, leveraging built-in tools for the ESXi hypervisor to kill guest machines, then encrypt crucial hypervisor files.”
Smaller criminal gangs are also using the malware to implement attacks. “Ransom House’s Mario and a previously undocumented ESXi version of Play Ransomware comprise a small handful of the growing Babuk-descended ESXi locker landscape,” it says.
Babuk’s code is thought to have been leaked onto a Russian online forum Vulnerabilities in VMware ESXi hypervisors have been widely exploited in recent months, providing access to thousands of systems and triggering a crime wave earlier this year. The vulnerabilities were used to target more than 3,800 victims including the Georgia Institute of Technology and Rice University in Houston, as well as other such institutions in Hungary and Slovakia.
Open-source operating system Linux, which is widely used in corporate networks and to run connected IoT devices, is becoming a popular target for hackers. The trend began last year according to a report This corresponds to a decline in malware written for other operating systems. “New malware numbers dropped Speaking to Tech Monitor earlier this year, Allan Liska, CSIRT at Recorded Future told Tech Monitor, said: “A lot of web hosting is done on Linux servers. Linux has always been the primary hosting platform because it’s a lot cheaper to run servers on Linux than it is on Windows.”
He went on to say: “We’re storing more and more data in the cloud and that means that a lot of what we think of as cloud infrastructure is actually being hosted on Linux machines. If data is stored in the cloud and that cloud happens to run on Linux servers, you want to be able to get access to those Linux servers to be able to steal the data.”
Leave a Reply