Tag Archive for: VMware
New ‘MichaelKors’ Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems
A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023.
The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News.
“This trend is especially noteworthy given the fact that ESXi, by design, does not support third-party agents or AV software,” the company said.
“In fact, VMware goes as far as to claim it’s not required. This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries.”
The targeting of VMware ESXi hypervisors with ransomware to scale such campaigns is a technique known as hypervisor jackpotting. Over the years, the approach has been adopted by several ransomware groups, including Royal.
What’s more, an analysis from SentinelOne last week revealed that 10 different ransomware families, including Conti and REvil, have utilized leaked Babuk source code in September 2021 to develop lockers for VMware ESXi hypervisors.
Other notable e-crime outfits that have updated their arsenal to target ESXi consist of ALPHV (BlackCat), Black Basta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach.
Part of the reason why VMware ESXi hypervisors are becoming an attractive target is that the software runs directly on a physical server, granting a potential attacker the ability to run malicious ELF binaries and gain unfettered access over the machine’s underlying resources.
Attackers looking to breach ESXi hypervisors can do so by using compromised credentials, followed by gaining elevated privileges and either laterally moving through the network or escaping the confines of the environment via known flaws to advance their motives.
VMware, in a knowledge base article last updated in September 2020, notes that “antivirus software is not required with the vSphere Hypervisor and the use of such software is not supported.”
UPCOMING WEBINAR
Learn to Stop Ransomware with Real-Time…
Leaked Babuk Code Fuels New Wave of VMware ESXi Ransomware
Cybersecurity firm SentinelOne warns of an increase in the number of new ransomware families designed to target VMware ESXi that are based on the leaked Babuk source code.
Targeting both Windows and Linux systems, the Babuk ransomware family was initially detailed in January 2021 and was used in attacks against numerous organizations.
In September 2021, the malware’s source code was leaked online by one of its operators, which allowed security researchers to release a free decryption tool for it roughly two months later.
The leaked source code has been used to create new ransomware variants, including RTM Locker and Rook, and was also used in the Rorschach ransomware. Both RTM Locker and Rorschach (aka BabLock) target ESXi servers too.
Over the past year, SentinelOne says in a new technical report, the source code was used to create at least 10 ransomware families specifically targeting VMware ESXi servers.
Other smaller ESXi ransomware operations also adopted the code, including House’s Mario, Play, Cylance (unrelated to the security firm with the same name), Dataf Locker, Lock4, and XVGV.
Infamous ransomware gangs such as Alphv/BlackCat, Black Basta, Conti, Lockbit, and REvil have been observed targeting ESXi deployments as well.
However, SentinelOne’s analysis of these malware families has revealed that only Conti and REvil ESXi lockers show overlaps with the leaked Babuk code.
The ESXiArgs locker that caused havoc earlier this year, however, showed very few similarities with Babuk, aside from the use of the same open-source Sosemanuk encryption implementation, the cybersecurity firm says.
“While ties to REvil remain tentative, the possibility exists that these groups – Babuk, Conti, and REvil – potentially outsourced an ESXi locker project to the same developer,” SentinelOne notes.
The identified links suggest that the two ransomware operations may have experienced small leaks or that they share code to collaborate, SentinelOne says.
Overall, the cybersecurity firm stresses on the fact that threat actors are increasingly using the Babuk code to build ESXi and Linux lockers and that they might also adopt the group’s…
VMware ESXi servers subjected to RTM Locker ransomware for Linux attacks
Threat actors have been targeting VMware ESXi servers with a Linux variant of the RTM Locker ransomware strain based on leaked Babuk ransomware source code, according to BleepingComputer.