Operators of the REvil ransomware have begun using a new Linux device encryptor to carry out cyberattacks against Vmware ESXi virtual machines.
As businesses migrate to virtual machines to simplify backups, device management and efficient resource utilization, ransomware groups are increasingly creating their own tools to bulk encrypt storage used by virtual machines.
According to information security expert Vitaliy Kremez from Advanced Intel to Bleeping Computer, the version of the malware for Linux is an ELF64 executable file and includes the same configuration parameters as the more common executable file for Windows.
When executed on a server, an attacker can provide an encryption path and enable quiet mode. On ESXi servers, the operator runs the esxcli command-line tool to list and terminate all running ESXi VMs. The command is used to close the virtual machine disk (VMDK) files stored in the / vmfs / folder so that the REvil ransomware can encrypt the files without ESXi locking them.
Data corruption may result if the virtual machine is not properly closed before encrypting the file. By choosing virtual machines in this way, REvil can encrypt several servers at once with one command.
Catch up on more articles here
Follow us on Twitter here