Security News > 2021 > June > REvil ransomware's new Linux encryptor targets ESXi virtual machines

REvil ransomware's new Linux encryptor targets ESXi virtual machines
2021-06-28 21:26

The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines.

With the enterprise moving to virtual machines for easier backups, device management, and efficient use of resources, ransomware gangs increasingly create their own tools to mass encrypt storage used by VMs. In May, Advanced Intel's Yelisey Boguslavskiy shared a forum post from the REvil operation where they confirmed that they had released a Linux version of their encryptor that could also work on NAS devices.

Today, security researcher MalwareHunterTeam found a Linux version of the REvil ransomware that also appears to target ESXi servers.

When executed on ESXi servers, it will run the esxcli command line tool to list all running ESXi virtual machines and terminate them.

This command is used to close the virtual machine disk files stored in the /vmfs/ folder so that the REvil ransomware malware can encrypt the files without them being locked by ESXi.

Wosar told BleepingComputer that other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty have also created Linux encryptors to target ESXi virtual machines.


News URL

https://www.bleepingcomputer.com/news/security/revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2312 1489 67 3932