Leaked Babuk and LockBit Code Fuels SEXi, Key Group, and Mallox Ransomware
Ransomware operators are increasingly building campaigns around leaked, published, purchased, or affiliate-provided malware instead of developing their own tooling, lowering the barrier to entry for new and mid-tier cybercrime groups. Research highlighted SEXi as a group targeting VMware ESXi environments with leaked Babuk code for Linux and leaked LockBit code for Windows, showing how previously exposed ransomware builders continue to enable active attacks across mixed environments.
The same reporting identified Key Group as an operator that has rotated through at least eight ransomware families since 2022 while relying on comparatively unsophisticated infrastructure, and Mallox as an operation that evolved from a private group into an affiliate program with selective recruitment. The findings indicate that leaked ransomware variants remain operationally dangerous even when used by less mature actors, because affiliate models, niche targeting, and access to proven encryptors can still support effective intrusions and larger-scale big game hunting campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
Key Group begins using multiple ransomware families
Securelist reported that Key Group had cycled through at least eight ransomware families starting in April 2022, illustrating its reliance on existing ransomware rather than developing its own malware.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Leaked Babuk Code Fueled a Wave of ESXi Locker Ransomware
SentinelLABS reported that at least 10 ransomware families built VMware ESXi encryptors from the leaked 2021 Babuk source code, turning the builder into a common foundation for hypervisor-focused attacks. The research linked code and behavioral overlaps between Babuk and ESXi lockers associated with **Play**, **Mario/Ransom House**, **Conti**, and possibly **REvil**, showing how the leak reduced the effort needed to develop Linux and ESXi ransomware. The report said adoption of Babuk-derived ESXi lockers accelerated through late 2022 and early 2023, particularly among less-resourced threat actors seeking to target virtualized environments. SentinelLABS also warned that widespread code reuse now complicates attribution across ransomware operations, and said **ESXiArgs** was likely misattributed as Babuk-derived because the overlap appears limited to its use of the `Sosemanuk` cipher implementation.
Apr 11, 2025
Ransomware Ecosystem Update: Leading Groups, RaaS Expansion, and Termite’s ClickFix Adoption
Reporting highlights a broader shift in the ransomware ecosystem toward **platform-like operations** and **ransomware-as-a-service (RaaS)** models that lower the barrier to entry and accelerate the creation of new crews. Huntress telemetry for 2025 is cited as placing **Akira** as a leading ransomware group, with operators increasingly targeting the **hypervisor layer** to bypass traditional endpoint controls; separate commentary describes rapid victim growth for **Qilin** (claimed to exceed 1,000 victims in 2025) and notes **LockBit** regaining operational capability after prior disruption. The same reporting also points to “**Extortion-as-a-Service**” offerings (including a federation described as **SLSH**—Scattered Spider/Lapsus$/ShinyHunters) that enable affiliates to rent tooling rather than develop it, contributing to a surge in newly formed groups. A separate technical write-up details **Termite** ransomware as a Babuk-derived operation first observed in late 2024 that has matured into a multi-stage intrusion and **double-extortion** threat, claiming dozens of victims across multiple sectors and regions by March 2026. The report emphasizes Termite’s operationalization of **ClickFix** (browser-based social engineering) to bypass traditional phishing defenses, and provides a distinctive forensic marker: encrypted files reportedly have the Babuk-inherited trailing string `"choung dong looks like hot dog"`, positioned as a practical indicator during triage. Another overview article catalogs major active ransomware groups and tactics, including **Lynx** (described as sharing substantial code with INC, using double extortion, appending `.lynx`, and deleting shadow copies) and **Medusa**, while reiterating law-enforcement attribution and indictments tied to **LockBit** leadership and deployment activity.
Mar 21, 2026
LockBit 5.0 Ransomware Expands Cross-Platform Attacks on Windows, Linux, and VMware ESXi
Acronis Threat Research Unit reported active campaigns using **LockBit 5.0**, a major update to the **LockBit** ransomware-as-a-service (RaaS) operation that broadens targeting across **Windows, Linux, and VMware ESXi** in coordinated intrusions. The variant continues **double extortion** (data theft plus encryption) and is positioned for enterprise impact by enabling attackers to hit endpoints, servers, and hypervisors—where a single ESXi compromise can disrupt many virtual machines at once. Reporting also notes the group’s claimed ability to operate against **Proxmox** virtualization environments, further expanding the potential attack surface in organizations adopting alternative hypervisors. Technical analysis highlights stronger and more enterprise-focused builds, with the **Windows** payload using advanced defense-evasion and anti-analysis techniques such as packing/obfuscation, **DLL unhooking**, **process hollowing**, and **ETW (Event Tracing for Windows) patching**, alongside log-clearing to reduce forensic visibility. The **Linux/ESXi** builds are described as less reliant on packing but use extensive string encryption to hinder detection, while maintaining strong encryption routines and using randomized file extensions; Acronis-linked reporting also cites faster encryption and continuity with LockBit 4’s design. Victimology cited in coverage indicates a heavy focus on the **U.S. business sector** and a broad spread across industries (including manufacturing, healthcare, education, financial services, and government), with dozens of recent leak-site postings used to pressure victims and demonstrate ongoing operational tempo despite law-enforcement disruption efforts.
Mar 21, 2026