The REvil ransomware gang is now targeting and encrypting Vmware ESXi virtual machines.
With the rise of virtual machines in the enterprise world, attackers are creating their own tools to mass encrypt the storage used by VMs.
The first news appeared in May, when Yelisey Boguslavskiy of Advanced Intel shared a post in which REvil said their encryptor could also work on NAS devices. And today, security researchers uncovered a Linux version of the REvil ransomware in the wild, as attackers targeted ESXi servers. This is the first known time that the Linux variant has been found publicly.
According to Vitali Kremez, an Advanced Intel engineer who analyzed the code, REvil Linux is an ELF64 executable that uses the same configuration as REvil’s more common Windows executable.
A threat actor can specify the path to encrypt and turn on a silent mode. The malware will run the esxcli command-line tool to list all running ESXi virtual machines and terminate them. This command also closes the virtual machine disks (VMDK) files that are stored in the /vmmfs/ folder so that they are not locked by ESXi when the REvil ransomware malware tries to encrypt them:
esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk -F ""*,"*" '{system("esxcli vm process kill --type=force --world-id=" $1)}'
If a virtual machine is not properly closed before it encrypts its file, it could cause data corruption, researchers explained.
With the Linux version of the REvil ransomware, REvil can encrypt many servers with a single command.
“The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically,” said Wosar.
Other ransomware operations who have also created Linux encryption tools to target ESXi VMs include Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty.
