The REvil ransomware operators added a Linux encryptor to their arsenal to encrypt Vmware ESXi virtual machines.
The REvil ransomware operators are now using a Linux encryptor to encrypts Vmware ESXi virtual machines which are widely adopted by enterprises.
The availability of the Linux encryptor was announced by the REvil gang in May, a circumstance that suggests the group is expanding its operation.
Now MalwareHunterTeam researchers spotted a Linux version of the REvil ransomware that also targets ESXi servers, BleepingComputer reported.
REvil ransomware Linux version…
👀
Config base:
{"pk":"[…]","pid":"[…]","sub":"[…]","dbg":false,"et":0,"nbody":"[…]","nname":"{EXT}-readme.txt","rdmcnt":0,"ext":".[…]"}
"Using silent mode, if you on esxi – stop VMs manualy"@demonslay335 @VK_Intel pic.twitter.com/K08zJuI5Z8— MalwareHunterTeam (@malwrhunterteam) June 28, 2021
The popular malware researcher Vitali Kremez explained that the new variant is an ELF64 executable with the same configuration options as the Windows version.
“Kremez states that this is the first known time the Linux variant has been publicly available since it was released.” states BleepingComputer.
2021-06-28:🔥🔒#REvil #Ransomware Goes Elf Hunting for VMware ESXi VM | Linux 64-Bit Flavor
1⃣Leverages "esxcli" CLI component to kill VMs via world id
2⃣affiliate "sub":"7864" | usual struct
3⃣GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.4) 4.8.4
*requires admin /vmfsht @malwrhunterteam pic.twitter.com/guhYzXkeBL
— Vitali Kremez (@VK_Intel) June 28, 2021
Upon executing on ESXi servers, the Linux version of the ransomware will run the esxcli command line tool to list all running ESXi virtual machines and close the virtual machine disk (VMDK) files stored in the /vmfs/ folder. Then the REvil ransomware will encrypt the files.
esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk -F ""*,"*" '{system("esxcli vm process kill --type=force --world-id=" $1)}' Indicators of Compromise (IoC) for REvil Linux encryptor have been published by security expert Jaime Blasco on Alienvault’s Open Threat Exchange.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Linux)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
The REvil ransomware operators added a Linux encryptor to their arsenal to encrypt Vmware ESXi virtual machines.
The REvil ransomware operators are now using a Linux encryptor to encrypts Vmware ESXi virtual machines which are widely adopted by enterprises.
The availability of the Linux encryptor was announced by the REvil gang in May, a circumstance that suggests the group is expanding its operation.
Now MalwareHunterTeam researchers spotted a Linux version of the REvil ransomware that also targets ESXi servers, BleepingComputer reported.
REvil ransomware Linux version…
👀
Config base:
{"pk":"[…]","pid":"[…]","sub":"[…]","dbg":false,"et":0,"nbody":"[…]","nname":"{EXT}-readme.txt","rdmcnt":0,"ext":".[…]"}
"Using silent mode, if you on esxi – stop VMs manualy"@demonslay335 @VK_Intel pic.twitter.com/K08zJuI5Z8— MalwareHunterTeam (@malwrhunterteam) June 28, 2021
The popular malware researcher Vitali Kremez explained that the new variant is an ELF64 executable with the same configuration options as the Windows version.
“Kremez states that this is the first known time the Linux variant has been publicly available since it was released.” states BleepingComputer.
2021-06-28:🔥🔒#REvil #Ransomware Goes Elf Hunting for VMware ESXi VM | Linux 64-Bit Flavor
1⃣Leverages "esxcli" CLI component to kill VMs via world id
2⃣affiliate "sub":"7864" | usual struct
3⃣GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.4) 4.8.4
*requires admin /vmfsht @malwrhunterteam pic.twitter.com/guhYzXkeBL
— Vitali Kremez (@VK_Intel) June 28, 2021
Upon executing on ESXi servers, the Linux version of the ransomware will run the esxcli command line tool to list all running ESXi virtual machines and close the virtual machine disk (VMDK) files stored in the /vmfs/ folder. Then the REvil ransomware will encrypt the files.
esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk -F ""*,"*" '{system("esxcli vm process kill --type=force --world-id=" $1)}' Indicators of Compromise (IoC) for REvil Linux encryptor have been published by security expert Jaime Blasco on Alienvault’s Open Threat Exchange.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Linux)