Babuk code resurfaces in criminal activity.
N2K logoMay 12, 2023

Babuk source code resurfaces as an outline for newer ransomware families.

Babuk code resurfaces in criminal activity.

The leaked Babuk ransomware source code has become a treasure trove for ransomware operators, Bleeping Computer reports.

Babuk source code as inspiration.

The Babuk code was leaked on a Russian forum in September of 2021, Decipher reports. SentinelLabs researchers discovered ten ransomware families throughout the second half of 2022 and the first half of 2023, using VMware ESXi lockers based on the Babuk code. “There is a noticeable trend that actors increasingly use the Babuk builder to develop ESXi and Linux ransomware,” said the researchers in their release.

Babuk malware targets Linux devices.

The malware compromises VMware ESXi servers on Linux machines. The researchers noted that “The talent pool for Linux malware developers is surely much smaller in ransomware development circles, which have historically held demonstrable expertise in crafting elegant Windows malware.” Use of Babuk code is expected to increase, and may do so in tandem with the anticipated growth of the Go-based locker version that targets network attached storage (NAS) devices.

Industry commentary on the use of Babuk code.

James McQuiggan, Security Awareness Advocate at KnowBe4, noted that the use of this code is concerning in cybercriminal ransomware evolution: 

"Using the leaked Babuk source code from 2021 to develop advanced ransomware is a concern as cybercriminals continue evolving their tools to significantly impact their targets, considering the targeted application is a critical component in numerous on-prem and hybrid enterprise networks. Additionally, this new threat suggests that cybercriminals are not just using this code as a blueprint for their malicious activities but also customizing it to their nefarious ends, potentially making detection and mitigation even more challenging. Furthermore, with this style of attack, implementing robust backup and recovery strategies for virtual systems becomes even more essential to ensure business continuity during a successful attack. This democratization of this style of reusing older code is a reminder of the continuing evolution of cybercriminals and the threat landscape. It's not enough to patch and protect against known vulnerabilities. Organizations must look beyond traditional perimeter-based defenses and adopt a more robust, multi-layered cybersecurity strategy that includes threat intelligence, endpoint protection and new-school employee security awareness training. As the threat landscape continues to evolve, so must our cybersecurity defenses. The key is staying informed, vigilant and one step ahead of the cybercriminals."