Cybercriminals behind Babuk ransomware announced in an underground forum that they are developing malware targeting *nix and VMware ESXi systems.
Cyber experts first spotted the new ransomware family, Babuk, at the beginning of 2021 and was responsible for at least five company breaches as of January, 2021.
In April, the Babuk threat actors claimed to have stolen 250 gigabytes of data from the Washington D.C. Police. Shortly thereafter, they had allegedly shut down.
According to a recent McAfee report, however, the Babuk actors are now developing binaries in the cross-platform language Golang (Go) to target Linux/UNIX and VMware ESXi systems. This is a shift in approach since ransomware has historically targeted Windows systems.
This could pose an even bigger threat since many enterprise core back-end systems run on *nix-based operating systems. VMware ESXi is the popular virtualization hosting software used to host virtual desktop and server environments.
Moreover, McAfee observed much of the previous Babuk malicious code was poorly developed and riddled with bugs, which could make it hard if not impossible for victims to decrypt data locked out by the ransomware.
“Indeed, the design and coding of the decryption tool are poorly developed, meaning if companies decide to pay the ransom, the decoding process for encrypted files can be really slow and there is no guarantee that all files will be recoverable,” Thibault Seret of McAfee wrote.
As a result, the bad actors may shift their business model from encryption to data theft and extortion.
Adam Kujawa, director of Malwarebytes Labs warned however you may want to take their word with a grain of salt.
“Ransom actors are professional liars and scammers; to believe anything they say is a mistake.”
- Kaseya VSA falls victim to massive sophisticated ransomware attack (update)
- Ransomware attack hits JBS USA, world’s largest global meat producer
- FBI identifies 16 Conti ransomware attacks targeting US healthcare and first responder networks
- Mount Locker ransomware targets Windows APIs to spread through networks
- CISA and FBI alert: DarkSide ransomware used in Colonial Pipeline cyberattack (and mitigation guidance) – updated
- Pipeline ransomware attack shuts down 45% of East Coast’s fuel (US passes emergency waiver, systems restarted) – updated
- Threat actors use FiveHands Ransomware and SombRAT in new cyberattack