Security News > 2021 > July > Linux Variant of HelloKitty Ransomware Targets VMware ESXi Servers
For the first time, researchers have publicly spotted a Linux encryptor used by the HelloKitty ransomware gang: the outfit behind the February attack on videogame developer CD Projekt Red.
On Wednesday, MalwareHunterTeam disclosed its discovery of numerous Linux ELF-64 versions of the HelloKitty ransomware targeting VMware ESXi servers and virtual machines running on them.
VMware ESXi, formerly known as ESX, is a bare-metal hypervisor that installs easily onto servers and partitions them into multiple VMs. While that makes it easy for multiple VMs to share the same hard-drive storage, it sets systems up to be one-stop shopping spots for attacks, since attackers can encrypt the centralized virtual hard drives used to store data from across VMs. That's how AT&T Cybersecurity's Alien Labs explained it earlier in the month, when the REvil ransomware threat actors came up with a Linux variant that likewise targeted VMware ESXi, as well as its network-attached storage devices.
Schrader told Threatpost on Friday that on top of the attraction of ESXi servers as a target, "Going that extra mile to add Linux as the origin of many virtualization platforms to functionality" has the welcome side effect of enabling attacks on any Linux machine.
MalwareHunterTeam shared samples of the HelloKitty Linux variant with BleepingComputer, which published technical details including strings referencing ESXi and the ransomware's attempts to shut down running VMs. As you can see in the multiple "Kill" checks in the replicated sample below, the ransomware is using ESXi's "Esxcli" command-line management tool to list the running VMs on the server and attempt to shut them down - first with a soft kill, then a hard kill, then a forced kill.
At this point, besides the HelloKitty and REvil variants, the list of ransomware operators that have introduced Linux encryptors to target ESXi VMs also includes Babuk, RansomExx/Defray 777, PYSA/Mespinoza, GoGoogle, and the now-defunct DarkSide.
News URL
https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/
Related news
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
- New scanner finds Linux, UNIX servers exposed to CUPS RCE attacks (source)
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Ransomware hits web hosting servers via vulnerable CyberPanel instances (source)
- Meet Interlock — The new ransomware targeting FreeBSD servers (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)