Security News

VMWare has shipped updates to Workstation, Fusion, and ESXi products to address an "Important" security vulnerability that could be weaponized by a threat actor to take control of affected systems. The company credited Jaanus Kääp, a security researcher with Clarified Security, for reporting the flaw.

Sophos has released details of a new ransomware written in Python that attackers used to compromise and encrypt virtual machines hosted on an ESXi hypervisor."This is one of the fastest ransomware attacks Sophos has ever investigated and it appeared to precision-target the ESXi platform," said Andrew Brandt, principal researcher at Sophos.

Researchers have discovered a new Python ransomware from an unnamed gang that's striking ESXi servers and virtual machines with what they called "Sniper-like" speed. While the choice of Python for the ransomware is fairly distinctive, going after ESXi servers is anything but.

Operators of an unknown ransomware gang are using a Python script to encrypt virtual machines hosted on VMware ESXi servers. While the Python programming language is not commonly used in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default.

The BlackMatter gang has joined the ranks of ransomware operations to develop a Linux encryptor that targets VMware's ESXi virtual machine platform. With VMware ESXi being the most popular virtual machine platform, almost every enterprise-targeting ransomware operation has begun to release encryptors that specifically target its virtual machines.

For the first time, researchers have publicly spotted a Linux encryptor used by the HelloKitty ransomware gang: the outfit behind the February attack on videogame developer CD Projekt Red. On Wednesday, MalwareHunterTeam disclosed its discovery of numerous Linux ELF-64 versions of the HelloKitty ransomware targeting VMware ESXi servers and virtual machines running on them.

The ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMware's ESXi virtual machine platform for maximum damage. Yesterday, security researcher MalwareHunterTeam found numerous Linux ELF64 versions of the HelloKitty ransomware targeting ESXi servers and the virtual machines running on them.

VMware on Tuesday announced the availability of patches for vulnerabilities impacting its ESXi hypervisor, Cloud Foundation hybrid cloud platform, and ThinApp application virtualization tool. According to VMware, a malicious actor that has network access to port 5989 on ESXi may send a specially crafted request to bypass SFCB authentication.

"REvil ransomware authors have expanded their arsenal to include Linux ransomware, which allows them to target ESXi and NAS devices," Caspi wrote. In a nod to research by AdvIntel in early May 2021, which reported REvil's intent to port its Windows-based ransomware to Linux, Caspi confirmed the Linux variant was spotted in May "Affecting *nix systems and ESXi.".

The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines. With the enterprise moving to virtual machines for easier backups, device management, and efficient use of resources, ransomware gangs increasingly create their own tools to mass encrypt storage used by VMs. In May, Advanced Intel's Yelisey Boguslavskiy shared a forum post from the REvil operation where they confirmed that they had released a Linux version of their encryptor that could also work on NAS devices.