A cybersecurity researcher at MalwareHunterTeam discovered Linux ELF64 ransomware by the BlackMatter ransomware group, specifically designed to attack VMware ESXi servers.
Since the VMware ESXi standalone hypervisor is the most popular virtual machine platform, almost all ransomware groups have started releasing ransomware specifically designed for these devices.
After a high-profile cyberattack on the Colonial Pipeline, the largest pipeline operator in the United States, which led to a shortage of gasoline along the entire southeast coast of the country, law enforcement agencies around the world, and especially American ones, began a real hunt for DarkSide. In May of this year, the group suddenly lost access to its servers and cryptocurrency assets, which were seized by unknown persons, and was forced to announce the termination of its operations. As it became known later, the FBI managed to take 63.7 bitcoins from DarkSide out of 75 paid by Colonial Pipeline to ransomware for file recovery.
— Vitali Kremez (@VK_Intel) August 5, 2021
Soon after, a new group called BlackMatter entered the cyber ransomware arena, announcing on hacker forums that it was ready to pay up to $ 100,000 for access to corporate networks of large companies. At the same time, she is only interested in companies with an annual income of $ 100 million or more.
Information security expert Vitaliy Kremez from Advanced Intel has reverse-engineered a new ransomware sample and said that cybercriminals have created the esxi_utils library, which is used to perform various operations on VMware ESXi servers.
Each function executes a separate command using the esxcli command line management tool, such as listing virtual machines, shutting down a firewall or virtual machine.
Catch up on more articles here
Follow us on Twitter here