The BlackMatter gang has joined the ranks of ransomware operations to develop a Linux encryptor that targets VMware’s ESXi digital machine platform.
The enterprise is more and more transferring to digital machines for his or her servers for higher useful resource administration and catastrophe restoration.
With VMware ESXi being the most well-liked digital machine platform, virtually each enterprise-targeting ransomware operation has begun to launch encryptors that particularly goal its digital machines.
BlackMatter targets VMware ESXi
Yesterday, safety researcher MalwareHunterTeam discovered a Linux ELF64 encryptor [VirusTotal] for the BlackMatter ransomware gang that particularly targets VMware ESXi servers primarily based on its performance.
BlackMatter is a comparatively new ransomware operation that began final month and is believed to be a rebrand of DarkSide. After researchers discovered samples, it was decided that the encryption routines utilized by the ransomware had been the identical customized and distinctive ones utilized by DarkSide.
DarkSide shut down after attacking and shutting down Colonial Pipeline after which feeling the entire stress of worldwide enforcement and the US authorities.
From the pattern BlackMatter’s Linux encryptor shared with BleepingComputer, it’s clear that it was designed solely to focus on VMWare ESXi servers.
Superior Intel’s Vitali Kremez reverse engineered the sample and instructed BleepingComputer that the menace actors created an ‘esxi_utils’ library that’s used to carry out varied operations on VMware ESXi servers
/sbin/esxcli bool app::esxi_utils::get_domain_name(std::vector >&) bool app::esxi_utils::get_running_vms(std::vector >&) bool app::esxi_utils::get_process_list(std::vector >&) bool app::esxi_utils::get_os_version(std::vector >&) bool app::esxi_utils::get_storage_list(std::vector >&) std::string app::esxi_utils::get_machine_uuid() bool app::esxi_utils::stop_firewall() bool app::esxi_utils::stop_vm(const string&)
Kremez instructed us that every perform would execute a distinct command utilizing the esxcli command-line administration software, corresponding to itemizing VMs, stopping the firewall, stopping a VM, and extra.
For instance, stop_firewall() perform will execute the next command:
esxcli community firewall set --enabled false
Whereas the stop_vm() will execute the next esxcli command:
esxcli vm course of kill --type=drive --world-id [ID]
All ransomware that targets ESXi servers makes an attempt to close down digital machines earlier than encrypting the drives. That is finished to stop knowledge from being corrupted whereas it’s encrypted.
As soon as all of the VMs are shut down, it is going to encrypt recordsdata that match particular file extensions primarily based on the configuration included with the ransomware.
Concentrating on ESXi servers may be very environment friendly when conducting ransomware assaults, because it permits the menace actors to encrypt quite a few servers directly with a single command.
As extra companies transfer to such a platform for his or her servers, we’ll proceed to see ransomware builders focus totally on Home windows machines but additionally create a devoted Linux encrypted focusing on ESXi.
Emsisoft CTO Fabian Wosar instructed BleepingComputer that different ransomware operations, corresponding to REvil, HelloKitty, Babuk, RansomExx/Defray, Mespinoza, GoGoogle, have additionally created Linux encryptors for this objective.