HelloKitty ransomware gang is using a Linux variant of their malware to target VMware ESXi virtual machine platform.
A Linux variant of the HelloKitty ransomware was employed in attacks against VMware ESXi systems.
The move of the ransomware gang aims at expanding the operations targeting enterprises that are largely adopting virtualizing platforms. Targeting VMware ESXi systems, threat actors could encrypt as many virtual machines as possible with a significant impact on the victims.
Researchers from MalwareHunterTeam spotted multiple Linux ELF64 versions of the HelloKitty ransomware designed to target VMware ESXi servers and encrypt virtual machines hosted on them.
Seems no one mentioned yet, so let me do it: the Linux version of HelloKitty ransomware was already using esxcli at least in early March for stopping VMs…@VK_Intel @demonslay335 pic.twitter.com/atSv0OO7YL
— MalwareHunterTeam (@malwrhunterteam) July 14, 2021
BleepingComputer that first shared the news, analyzed samples of the new variant and confirmed that the malware attempts to shut down virtual machines running on the targeted servers in order to encrypt files, preventing the files from being locked.
“From the debug messages, we can see that the ransomware uses ESXi’s esxcli command-line management tool to list the running virtual machines on the server and then shut them down.” reported BleepingComputer.
Once the virtual machines are shut down, the ransomware will encrypt .vmdk (virtual hard disk), .vmsd (metadata and snapshot information), and .vmsn (contains the active state of the VM) files.
HelloKitty ransomware isn’t the only threat that targets ESXi servers, Babuk, RansomExx, Mespinoza, and DarkSide ransomware also implement this capability.
-in June MalwareHunterTeam researchers spotted a Linux version of the REvil ransomware that also targets ESXi platform.
REvil ransomware Linux version…
👀
Config base:
{"pk":"[…]","pid":"[…]","sub":"[…]","dbg":false,"et":0,"nbody":"[…]","nname":"{EXT}-readme.txt","rdmcnt":0,"ext":".[…]"}
"Using silent mode, if you on esxi – stop VMs manualy"@demonslay335 @VK_Intel pic.twitter.com/K08zJuI5Z8— MalwareHunterTeam (@malwrhunterteam) June 28, 2021
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, HelloKitty ransomware)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
HelloKitty ransomware gang is using a Linux variant of their malware to target VMware ESXi virtual machine platform.
A Linux variant of the HelloKitty ransomware was employed in attacks against VMware ESXi systems.
The move of the ransomware gang aims at expanding the operations targeting enterprises that are largely adopting virtualizing platforms. Targeting VMware ESXi systems, threat actors could encrypt as many virtual machines as possible with a significant impact on the victims.
Researchers from MalwareHunterTeam spotted multiple Linux ELF64 versions of the HelloKitty ransomware designed to target VMware ESXi servers and encrypt virtual machines hosted on them.
Seems no one mentioned yet, so let me do it: the Linux version of HelloKitty ransomware was already using esxcli at least in early March for stopping VMs…@VK_Intel @demonslay335 pic.twitter.com/atSv0OO7YL
— MalwareHunterTeam (@malwrhunterteam) July 14, 2021
BleepingComputer that first shared the news, analyzed samples of the new variant and confirmed that the malware attempts to shut down virtual machines running on the targeted servers in order to encrypt files, preventing the files from being locked.
“From the debug messages, we can see that the ransomware uses ESXi’s esxcli command-line management tool to list the running virtual machines on the server and then shut them down.” reported BleepingComputer.
Once the virtual machines are shut down, the ransomware will encrypt .vmdk (virtual hard disk), .vmsd (metadata and snapshot information), and .vmsn (contains the active state of the VM) files.
HelloKitty ransomware isn’t the only threat that targets ESXi servers, Babuk, RansomExx, Mespinoza, and DarkSide ransomware also implement this capability.
-in June MalwareHunterTeam researchers spotted a Linux version of the REvil ransomware that also targets ESXi platform.
REvil ransomware Linux version…
👀
Config base:
{"pk":"[…]","pid":"[…]","sub":"[…]","dbg":false,"et":0,"nbody":"[…]","nname":"{EXT}-readme.txt","rdmcnt":0,"ext":".[…]"}
"Using silent mode, if you on esxi – stop VMs manualy"@demonslay335 @VK_Intel pic.twitter.com/K08zJuI5Z8— MalwareHunterTeam (@malwrhunterteam) June 28, 2021
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, HelloKitty ransomware)