HelloKitty Ransomware Using Linux Variant Attacks VMware ESXi Server

As businesses increasingly turn to virtual machines for backups and easier resource management, ransomware gangs are increasingly using a variety of tactics to create Linux encoders that target these servers.

VMware ESXi is one of the most popular enterprise virtual machine platforms. Over the past year, more and more ransomware gangs have launched Linux encoders targeting the platform.

Although ESXi uses its own client kernel, it shares many of the same characteristics as Linux, including the ability to run ELF64 Linux executables.

On July 16, security researcher MalwareHunterTeam found multiple Linux ELF64 versions of the HelloKitty ransomware targeting ESXi servers and the virtual machines running on them.

According to security researchers, HelloKitty uses a Linux encoder, but this is the first pattern that researchers have publicly discovered.

MalwareHunterTeam shared these ransomware samples. We can clearly see strings that refer to ESXi and the ransomware's attempt to shut down running VMs.

From the debug messages, we can see that the ransomware uses ESXi's esxcli command line management tool to list the VMs running on the host machine and shut them down.

Ransomware uses ESXi's esxcli command-line management tool to list virtual machines running on the host machine and shut them down.

An attacker on the ESXi server shuts down the virtual machines before encrypting the file, to prevent the file from being locked and to prevent data corruption.

When shutting down virtual machines, the ransomware will first try to shut down with the 'soft' command:

esxcli vm process kill -t=soft -w=%d

If there are still VMs running, it will try shutting them down immediately with the 'hard' command:

esxcli vm process kill -t=hard -w=%d

Finally, if the VMs are still running, it will use the 'force' command to shut down any running VMs.

esxcli vm process kill -t=force -w=%d

After the virtual machine is down, the ransomware will start encrypting the .vmdk (virtual hard disk), .vmsd (metadata and snapshot information) and .vmsn files (containing the virtual machine's operating state).

This method is very effective because it allows a ransomware gang to encrypt multiple virtual machines with a single command.

Last month, MalwareHunterTeam also detected a Linux version of the REvil ransomware that targets ESXi servers and uses the esxcli command as part of the encryption process.

BleepingComputer quotes Emsisoft CTO Fabian Wosar as saying that other ransomware gangs, such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle and DarkSide, have also created Linux encoders to target virtual machines. ESXi.

"The reason why most ransomware groups deploy Linux-based ransomware attacks is to target ESXi," Wosar said.

HelloKity has been active since November 2020. Since then, it has no longer deployed aggressive attacks compared to other ransomware groups.

HelloKitty is most famous for its attack on CD Projekt Red to encrypt devices and steal the source code of Cyberpunk 2077, Witcher 3, Gwent…

They then claim that someone bought the stolen files from CD Projekt Red.

This ransomware, or its variants, has been used under different names such as DeathRansom and Fivehands.