The Babuk ransomware gang, which recently announced plans to target Linux/Unix systems in addition to ESXi and VMware systems, is changing its tactics after errors in its code led to issues with decrypting data, researchers report.

For a long time, ransomware operators were primarily focused on Windows, wrote Thibault Seret, security researcher at McAfee, and Noël Keijzer, who works in digital forensics and incident response at Northwave. Now criminals have begun to experiment with writing binaries in the cross-platform language GoLang (Go). Some ransomware groups, such as Babuk, have branched out to target different operating systems.

Babuk recently announced on an underground forum it would be developing a cross-platform binary for these *nix operating systems. "Our worst fears were confirmed," the researchers said, noting many core backend systems in organizations run these operating systems. While Babuk is relatively new, its affiliates have "aggressively" targeted high-profile victims despite problems with the binary that led to issues with decryption, even after the companies paid.

"Ultimately, the difficulties faced by the Babuk developers in creating ESXi ransomware may have led to a change in business model, from encryption to data theft and extortion," they explained. The design and coding of the encryption tool are poorly developed, meaning if a victim pays, decryption can be slow, and there is no guarantee that all files will be recovered.

Read the full blog post and technical analysis for more details.