Security News > 2023 > May > Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers
An increasing number of ransomware operations are adopting the leaked Babuk ransomware source code to create Linux encryptors targeting VMware ESXi servers.
"There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware," said SentinelLabs threat researcher Alex Delamotte.
The list of new ransomware families that have adopted it to build new Babuk-based ESXi encryptors since H2 2022 includes Play, Mario, Conti POC, REvil aka Revix, Cylance ransomware, Dataf Locker, Rorschach aka BabLock, Lock4, and RTM Locker.
These add to many other unique, non-Babuk-based ransomware strains targeting VMware ESXi virtual machines discovered in the wild for several years.
The gang's ransomware source code was leaked on a Russian-speaking hacking forum in September 2021, together with VMware ESXi, NAS, and Windows encryptors, as well as encryptors and decryptors compiled for some of the gang's victims.
Babuk members splintered off, with the admin launching the Ramp cybercrime forum and the other core members relaunching the ransomware as Babuk V2..