Leaked Babuk Code Fueled a Wave of ESXi Locker Ransomware
SentinelLABS reported that at least 10 ransomware families built VMware ESXi encryptors from the leaked 2021 Babuk source code, turning the builder into a common foundation for hypervisor-focused attacks. The research linked code and behavioral overlaps between Babuk and ESXi lockers associated with Play, Mario/Ransom House, Conti, and possibly REvil, showing how the leak reduced the effort needed to develop Linux and ESXi ransomware.
The report said adoption of Babuk-derived ESXi lockers accelerated through late 2022 and early 2023, particularly among less-resourced threat actors seeking to target virtualized environments. SentinelLABS also warned that widespread code reuse now complicates attribution across ransomware operations, and said ESXiArgs was likely misattributed as Babuk-derived because the overlap appears limited to its use of the Sosemanuk cipher implementation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Adoption of Babuk-derived ESXi lockers increases across 2022 and 2023
The research found adoption of Babuk-derived ESXi lockers increased through the second half of 2022 and the first half of 2023, with multiple threat actors building ransomware from the leaked code.
Babuk source code leak enables later ESXi locker development
SentinelLABS reported that multiple later VMware ESXi ransomware families were derived from the leaked 2021 Babuk source code, which lowered the barrier for Linux and ESXi ransomware development.
SentinelLABS says ESXiArgs was likely misattributed as Babuk-derived
The report concluded that ESXiArgs was likely misattributed as Babuk-derived, finding only limited similarity in its use of the Sosemanuk cipher implementation.
SentinelLABS identifies 10 Babuk-derived ESXi ransomware families
SentinelLABS identified 10 ransomware families using VMware ESXi lockers derived from leaked Babuk code, including overlaps with lockers linked to Play, Mario/Ransom House, Conti, and possibly REvil.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Leaked Babuk and LockBit Code Fuels SEXi, Key Group, and Mallox Ransomware
Ransomware operators are increasingly building campaigns around leaked, published, purchased, or affiliate-provided malware instead of developing their own tooling, lowering the barrier to entry for new and mid-tier cybercrime groups. Research highlighted **SEXi** as a group targeting VMware **ESXi** environments with leaked **Babuk** code for Linux and leaked **LockBit** code for Windows, showing how previously exposed ransomware builders continue to enable active attacks across mixed environments. The same reporting identified **Key Group** as an operator that has rotated through at least eight ransomware families since 2022 while relying on comparatively unsophisticated infrastructure, and **Mallox** as an operation that evolved from a private group into an affiliate program with selective recruitment. The findings indicate that leaked ransomware variants remain operationally dangerous even when used by less mature actors, because affiliate models, niche targeting, and access to proven encryptors can still support effective intrusions and larger-scale **big game hunting** campaigns.
Apr 1, 2022
LockBit 5.0 Ransomware Expands Cross-Platform Attacks on Windows, Linux, and VMware ESXi
Acronis Threat Research Unit reported active campaigns using **LockBit 5.0**, a major update to the **LockBit** ransomware-as-a-service (RaaS) operation that broadens targeting across **Windows, Linux, and VMware ESXi** in coordinated intrusions. The variant continues **double extortion** (data theft plus encryption) and is positioned for enterprise impact by enabling attackers to hit endpoints, servers, and hypervisors—where a single ESXi compromise can disrupt many virtual machines at once. Reporting also notes the group’s claimed ability to operate against **Proxmox** virtualization environments, further expanding the potential attack surface in organizations adopting alternative hypervisors. Technical analysis highlights stronger and more enterprise-focused builds, with the **Windows** payload using advanced defense-evasion and anti-analysis techniques such as packing/obfuscation, **DLL unhooking**, **process hollowing**, and **ETW (Event Tracing for Windows) patching**, alongside log-clearing to reduce forensic visibility. The **Linux/ESXi** builds are described as less reliant on packing but use extensive string encryption to hinder detection, while maintaining strong encryption routines and using randomized file extensions; Acronis-linked reporting also cites faster encryption and continuity with LockBit 4’s design. Victimology cited in coverage indicates a heavy focus on the **U.S. business sector** and a broad spread across industries (including manufacturing, healthcare, education, financial services, and government), with dozens of recent leak-site postings used to pressure victims and demonstrate ongoing operational tempo despite law-enforcement disruption efforts.
Mar 21, 2026
Kyber ransomware hit Windows and ESXi in coordinated cross-platform attacks
Rapid7 reported that a **Kyber ransomware** affiliate deployed two distinct payloads in the same March 2026 intrusion, targeting both **VMware ESXi** infrastructure and **Windows file servers** to maximize operational disruption. The ESXi variant encrypted VMware datastore files, could optionally terminate virtual machines, and defaced SSH and web management interfaces with ransom notes. The Windows variant targeted core file systems and added broader impact features, including killing backup-, database-, and IIS-related services, deleting shadow copies, disabling recovery options, clearing event logs, and testing an experimental **Hyper-V** shutdown capability. The two samples shared the same campaign ID and **Tor-based** negotiation and leak infrastructure, linking them to the same affiliate, but their internals differed sharply. Rapid7 found the ESXi payload falsely advertised post-quantum protection with `Kyber1024`; in practice, it used **ChaCha8** with **RSA-4096** key wrapping. By contrast, the Windows variant, written in **Rust**, appeared to implement the claimed hybrid scheme using **AES-256-CTR**, `Kyber1024`, and **X25519**. Public reporting indicates the group remains relatively new, with limited prior technical analysis and only one victim publicly listed on its extortion site: a large U.S. defense contractor and IT services provider.
Apr 27, 2026