HelloKitty Ransomware Using Linux Variant Attacks VMware ESXi Server
As businesses increasingly turn to virtual machines for backups and easier resource management, ransomware gangs are increasingly using a variety of tactics to create Linux encoders that target these servers.
VMware ESXi is one of the most popular enterprise virtual machine platforms. Over the past year, more and more ransomware gangs have launched Linux encoders targeting the platform.
Although ESXi uses its own client kernel, it shares many of the same characteristics as Linux, including the ability to run ELF64 Linux executables.
On July 16, security researcher MalwareHunterTeam found multiple Linux ELF64 versions of the HelloKitty ransomware targeting ESXi servers and the virtual machines running on them.
According to security researchers, HelloKitty uses a Linux encoder, but this is the first pattern that researchers have publicly discovered.
MalwareHunterTeam shared these ransomware samples. We can clearly see strings that refer to ESXi and the ransomware's attempt to shut down running VMs.
From the debug messages, we can see that the ransomware uses ESXi's esxcli command line management tool to list the VMs running on the host machine and shut them down.
Ransomware uses ESXi's esxcli command-line management tool to list virtual machines running on the host machine and shut them down.
An attacker on the ESXi server shuts down the virtual machines before encrypting the file, to prevent the file from being locked and to prevent data corruption.
When shutting down virtual machines, the ransomware will first try to shut down with the 'soft' command:
esxcli vm process kill -t=soft -w=%d
If there are still VMs running, it will try shutting them down immediately with the 'hard' command:
esxcli vm process kill -t=hard -w=%d
Finally, if the VMs are still running, it will use the 'force' command to shut down any running VMs.
esxcli vm process kill -t=force -w=%d
After the virtual machine is down, the ransomware will start encrypting the .vmdk (virtual hard disk), .vmsd (metadata and snapshot information) and .vmsn files (containing the virtual machine's operating state).
This method is very effective because it allows a ransomware gang to encrypt multiple virtual machines with a single command.
Last month, MalwareHunterTeam also detected a Linux version of the REvil ransomware that targets ESXi servers and uses the esxcli command as part of the encryption process.
BleepingComputer quotes Emsisoft CTO Fabian Wosar as saying that other ransomware gangs, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle and DarkSide, have also created Linux encoders to target virtual machines. ESXi.
"The reason why most ransomware groups deploy Linux-based ransomware attacks is to target ESXi," Wosar said.
HelloKity has been active since November 2020. Since then, it has no longer deployed aggressive attacks compared to other ransomware groups.
HelloKitty is most famous for its attack on CD Projekt Red to encrypt devices and steal the source code of Cyberpunk 2077, Witcher 3, Gwent…
They then claim that someone bought the stolen files from CD Projekt Red.
This ransomware, or its variants, has been used under different names such as DeathRansom and Fivehands.
You should read it
- Consider about VMware Server 2.0 RC1
- How to access VMware ESXi hidden interface
- Compare VMware Workstation Pro and VMware Workstation Player
- The best virtualization and monitoring software for VMWare, ESXi, Hyper-V, ...
- How to fix Not enough physical memory on VMware
- VMware Workstation Player - Download VMware Workstation Player
- Top 5 tips for installing and using VMware virtual machine
- How to Run a Windows Longhorn Virtual Machine in VMware
- Instructions for fixing errors do not install VMware Tools
- Why is Ransomware the perfect hack?
- Hackers can use Ransomware to attack and control robots
- How to Increase Disk Space in VMware
Maybe you are interested
Dangerous 'Helldown' Ransomware Warning Expands to Linux and VMware
Detecting a new ransomware strain that specializes in stealing login information from the Chrome browser
What is extortionware? How is it different from Ransomware?
New ransomware appears attacking Windows operating system
Difference between Cyber Extortion and Ransomware
How to enable ransomware restrictions on Windows