A researcher found a Linux encryptor that targets VMware’s ESXi virtual machine platform and presumably belongs to the BlackMatter gang.
The gang is another ransomware operator that recently shifted its focus to Linux servers. As the enterprise world is moving to virtual machines for better resource management and recovery, so do hackers. And with the increasing popularity of VMware ESXi virtual machines, many ransomware gangs started adopting encryption tools designed for ESXi as their primary tool for attacking enterprises.
BlackMatter is a new ransomware actor that started operating last month. It uses the same encryption routines as DarkSide, which indicates that BlackMatter is rebranded DarkSide, a prolific ransomware gang in the past that shut down after attacking the Colonial pipeline and the pressure of international enforcement.
The BlackMatter Linux encryptor is designed to solely target ESXi. Threat actors created an ‘esxi_utils’ library that is used to perform various operations on VMware ESXi servers using the esxcli command-line management tool, which include listing VMs, stopping firewalls, stopping a VM, and more.
Thus, the stop_firewall() function will run the following command:
esxcli network firewall set --enabled false
And the stop_vm() function will execute the following esxcli command:
esxcli vm process kill --type=force --world-id [ID]
All ransomware attacks attempt to prevent the virtual machines from running before they are encrypted to prevent corruption of data during encryption.
Once the entire network is shut down with all its VMs, the malware will automatically encrypt all files with the specified file extensions.
Usually, during a ransomware attack, the threat actor can encrypt multiple ESXi servers with a single command. This makes targeting ESXi servers particularly attractive and efficient for hackers.
Other ransomware operations have also created their own Linux encryptors. Among them REvil, HelloKitty, Babuk, RansomExx/Defray, Mespinoza, and GoGoogle.