- Docker Desktop 4.36 | Docker
- This 3-in-1 MagSafe dock will charge your Apple devices while keeping them cool (and for Black Friday it's only $48)
- Why Cisco Leads with Wi-Fi 7: Transforming Future Connectivity
- What is AI networking? How it automates your infrastructure (but faces challenges)
- I traveled with a solar panel that's lighter than a MacBook, and it's my new backpack essential (and now get 23% off for Black Friday)
Linux version of REvil ransomware targets ESXi VM
The REvil ransomware operators added a Linux encryptor to their arsenal to encrypt Vmware ESXi virtual machines.
The REvil ransomware operators are now using a Linux encryptor to encrypts Vmware ESXi virtual machines which are widely adopted by enterprises.
The availability of the Linux encryptor was announced by the REvil gang in May, a circumstance that suggests the group is expanding its operation.
Now MalwareHunterTeam researchers spotted a Linux version of the REvil ransomware that also targets ESXi servers, BleepingComputer reported.
REvil ransomware Linux version…
👀
Config base:
{“pk”:”[…]”,”pid”:”[…]”,”sub”:”[…]”,”dbg”:false,”et”:0,”nbody”:”[…]”,”nname”:”{EXT}-readme.txt”,”rdmcnt”:0,”ext”:”.[…]”}
“Using silent mode, if you on esxi – stop VMs manualy”@demonslay335 @VK_Intel pic.twitter.com/K08zJuI5Z8— MalwareHunterTeam (@malwrhunterteam) June 28, 2021
The popular malware researcher Vitali Kremez explained that the new variant is an ELF64 executable with the same configuration options as the Windows version.
“Kremez states that this is the first known time the Linux variant has been publicly available since it was released.” states BleepingComputer.
2021-06-28:🔥🔒#REvil #Ransomware Goes Elf Hunting for VMware ESXi VM | Linux 64-Bit Flavor
1⃣Leverages “esxcli” CLI component to kill VMs via world id
2⃣affiliate “sub”:”7864″ | usual struct
3⃣GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.4) 4.8.4
*requires admin /vmfsht @malwrhunterteam pic.twitter.com/guhYzXkeBL
— Vitali Kremez (@VK_Intel) June 28, 2021
Upon executing on ESXi servers, the Linux version of the ransomware will run the esxcli command line tool to list all running ESXi virtual machines and close the virtual machine disk (VMDK) files stored in the /vmfs/ folder. Then the REvil ransomware will encrypt the files.
esxcli –formatter=csv –format-param=fields==”WorldID,DisplayName” vm process list | awk -F “”*,”*” ‘{system(“esxcli vm process kill –type=force –world-id=” $1)}’
Indicators of Compromise (IoC) for REvil Linux encryptor have been published by security expert Jaime Blasco on Alienvault’s Open Threat Exchange.
Follow me on Twitter: @securityaffairs and Facebook
Pierluigi Paganini
International Editor-in-Chief
Cyber Defense Magazine