Security News > 2021 > July > Linux Variant of HelloKitty Ransomware Targets VMware ESXi Servers

Linux Variant of HelloKitty Ransomware Targets VMware ESXi Servers
2021-07-16 21:10

For the first time, researchers have publicly spotted a Linux encryptor used by the HelloKitty ransomware gang: the outfit behind the February attack on videogame developer CD Projekt Red.

On Wednesday, MalwareHunterTeam disclosed its discovery of numerous Linux ELF-64 versions of the HelloKitty ransomware targeting VMware ESXi servers and virtual machines running on them.

VMware ESXi, formerly known as ESX, is a bare-metal hypervisor that installs easily onto servers and partitions them into multiple VMs. While that makes it easy for multiple VMs to share the same hard-drive storage, it sets systems up to be one-stop shopping spots for attacks, since attackers can encrypt the centralized virtual hard drives used to store data from across VMs. That's how AT&T Cybersecurity's Alien Labs explained it earlier in the month, when the REvil ransomware threat actors came up with a Linux variant that likewise targeted VMware ESXi, as well as its network-attached storage devices.

Schrader told Threatpost on Friday that on top of the attraction of ESXi servers as a target, "Going that extra mile to add Linux as the origin of many virtualization platforms to functionality" has the welcome side effect of enabling attacks on any Linux machine.

MalwareHunterTeam shared samples of the HelloKitty Linux variant with BleepingComputer, which published technical details including strings referencing ESXi and the ransomware's attempts to shut down running VMs. As you can see in the multiple "Kill" checks in the replicated sample below, the ransomware is using ESXi's "Esxcli" command-line management tool to list the running VMs on the server and attempt to shut them down - first with a soft kill, then a hard kill, then a forced kill.

At this point, besides the HelloKitty and REvil variants, the list of ransomware operators that have introduced Linux encryptors to target ESXi VMs also includes Babuk, RansomExx/Defray 777, PYSA/Mespinoza, GoGoogle, and the now-defunct DarkSide.


News URL

https://threatpost.com/linux-variant-of-hellokitty-ransomware-targets-vmware-esxi-servers/167883/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 18 397 1368 1114 696 3575
Vmware 186 85 404 200 101 790