Security News > 2021 > June > REvil ransomware's new Linux encryptor targets ESXi virtual machines
The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines.
With the enterprise moving to virtual machines for easier backups, device management, and efficient use of resources, ransomware gangs increasingly create their own tools to mass encrypt storage used by VMs. In May, Advanced Intel's Yelisey Boguslavskiy shared a forum post from the REvil operation where they confirmed that they had released a Linux version of their encryptor that could also work on NAS devices.
Today, security researcher MalwareHunterTeam found a Linux version of the REvil ransomware that also appears to target ESXi servers.
When executed on ESXi servers, it will run the esxcli command line tool to list all running ESXi virtual machines and terminate them.
This command is used to close the virtual machine disk files stored in the /vmfs/ folder so that the REvil ransomware malware can encrypt the files without them being locked by ESXi.
Wosar told BleepingComputer that other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty have also created Linux encryptors to target ESXi virtual machines.
News URL
Related news
- Chilean hosting firm's VMware ESXi servers hit by new SEXi ransomware (source)
- Hosting firm's VMware ESXi servers hit by new SEXi ransomware (source)
- The Week in Ransomware - April 5th 2024 - Virtual Machines under Attack (source)
- Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware (source)
- Akira Ransomware Gang Extorts $42 Million; Now Targets Linux Servers (source)