The leak of the Babuk ransomware code in September 2021 has led to the development of multiple ransomware families capable of targeting VMware ESXi systems. Several cybercrime groups have used the leaked source code to create new variants, indicating a growing trend of Babuk code adoption.


Ransomware strains like Cylance, Rorschach and RTM Locker have emerged based on the Babuk source code: in a recent report, cybersecurity firm SentinelOne has identified overlaps between Babuk and ESXi lockers attributed to Conti and REvil.

Other ransomware families like LOCK4, DATAF, Mario and Play have incorporated features from Babuk into their code. However, there is no similarity found between Babuk and ALPHV, Black Basta, Hive and LockBit’s ESXi lockers: there is also a possibility that threat actors may turn to Babuk’s Go-based NAS locker due to its popularity.

In addition, threat actors associated with Royal ransomware, suspected to be former Conti members, have introduced an ELF variant capable of targeting Linux and ESXi environments, used to attack numerous organizations in sectors such as manufacturing, retail, legal services, education, construction, and healthcare in the U.S., Canada, and Germany.

Indicators of Compromise

| SHA | | —————————————- | | b93d649e73c21efea10d4d811b711316206c0509 | | cd19c2741261de97e91943148ba8c0863567b461 | | 885a734c7869b52aa125674cb430199b2645cda0 | | e8bb26f62983055cfb602aa39a89998e8f512466 | | dc8b9bc46f1d23779d3835f2b3648c21f4cf6151 | | 9290478cda302b9535702af3a1dada25818ad9ce | | 76fb0d08fd5b9c52cb9da118ce5561cc0462555f | | 048b3942c715c6bff15c94cdc0bb4414dbab9e07 | | 091f4bddea8bf443bc8703730f15b21f7ccf00e9 | | ee827023780964574f28c6ba333d800b73eae5c4 | | 74e4b2f7abf9dbd376372c9b05b26b02c2872e4b | | 29f16c046a344e0d0adfea80d5d7958d6b6b8cfa | | 933ad0a7d9db57b92144840d838f7b10356c7e51 | | 71ed640ebd8377f52bda4968398c62c97ae1c3ed | | 3b1a2847e006007626ced901e402f1a33bb800c7 |