Threat behavior
Ransom:Linux/Babuk!rfn is built on C++ and Go, producing an ELF binary optimized for x86-64 and ARM architectures. The malware implements a tiered encryption scheme that combines symmetric and asymmetric algorithms. For symmetric file encryption, the Linux variant uses a stream cipher, a deliberate choice for performance when processing large VMDK files in virtualized environments. Key exchange is handled through Elliptic-curve Diffie-Hellman (ECDH) using Curve25519, ensuring that each infected file receives a unique symmetric key encrypted with the threat actor's public key. Babuk accepts command-line parameters including "--path" to specify target directories, "--threads" to control concurrency with a default of 50 threads, and "--silent" to suppress VM notification. Network indicators include command and control communication with IP addresses observed as 216[.]245[.]184[.]181, 212[.]237[.]217[.]182, and 168[.]119[.]96[.]41.
Babuk’s capability to target VMware ESXi directly is activated through native command-line tools. Upon launch, it identifies running virtual machines using "esxcli --formatter=csv vm process list" and forced close them by World ID with "esxcli vm process kill --type=force --world-id=". To maintain control, it deactivates the ESXi firewall using "esxcli network firewall set --enabled false". Advanced variants can change the ESXi root password and drop existing SSH sessions to prevent administrative intervention. Persistence mechanisms in Linux environments include dropping ELF files to "/var/tmp/" and creating cron jobs in "/etc/cron.d/" for periodic launches. Evasion techniques involve deactivating backup services and database daemons to release file handles, as well as clearing command history to hinder forensic analysis.
The original build supported three distinct target platforms, each with specialized encryptors. The Windows version utilized the HC-128 stream cipher, whereas the Linux and ESXi variants shifted to a stream cipher to better handle the throughput requirements of large virtual disk files. Following the source code leak, multiple forked projects emerged that retained the core encryption logic while modifying deployment mechanisms. Some variants introduced a highly automated deployment framework called MrAgent that acts as a command-and-control (C2) orchestrator, allowing threat actors to push the Babuk-based encryptor to multiple ESXi hosts simultaneously. The original code included modules for deactivating security software and backup agents, a feature that has been adopted by numerous ransomware threat actors.
The RansomHouse group has been observed using MrAgent to manage their Babuk-derived encryptors. This tool performs system checks to determine host configuration, retrieves MAC addresses and local IP addresses, then attempts to deactivate the ESXi firewall to ensure uninterrupted communication with C2 servers. MrAgent then enters a command-launch loop that can receive instructions to change root passwords, drop existing SSH sessions, and modify the Message of the Day file to display ransom warnings.
Prevention
- Activate Strict Lockdown Mode on ESXi hosts to deactivate direct console and shell access, forcing all management tasks through vCenter.
- Deactivate SSH services by default and activate them only for specific maintenance windows using PowerCLI to ensure they do not start automatically.
- Block incoming traffic to sensitive ports such as TCP 427, which has been a primary vector for Babuk-derived campaigns.
- Prioritize patching for critical vulnerabilities that affect hypervisor management interfaces and authentication mechanisms.
- Secure administrative groups for hypervisor management; ensure proper management as certain vulnerabilities allow users added to these groups to gain full administrative access.
- Enforce phishing-resistant multi-factor authentication for all access to vCenter and management interfaces.
- Follow the principle of least privilege by avoiding administrative roles and creating custom roles with minimum permissions for specific functions.
- Isolate management networks by placing vCenter Server and ESXi management interfaces on a dedicated, firewalled VLAN inaccessible from general user networks.
- Deploy endpoint detection and response solutions providing continuous monitoring to detect early signs such as the unusual launch of hypervisor management commands.
- Adopt immutable storage solutions using filesystem-level immutability to ensure backup data cannot be modified or deleted.
- Regularly practice recovery procedures in an isolated environment to validate restoration processes for virtual machine clusters.
For more tips on how to keep your device safe, go to the Microsoft security help & learning portal.
To learn more about preventing trojans or other malware from affecting individual devices, read about preventing malware infection.
