Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,491
- Points
- 113
A new malware variant for Linux targets VMware ESXi servers.
As enterprises move from private servers to virtual machines for better resource management, performance and disaster recovery, hackers are increasingly creating ransomware that targets these platforms.
Since VMware ESXi is one of the most popular virtualization platforms, almost every ransomware group has started releasing ransomware for Linux to cover a large percentage of potential victims. Other ransomware gangs using Linux ransomware targeting VMware ESXi include: Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.
Abyss Locker is a relatively new ransomware group that supposedly went live in March 2023. Like other similar groups, these hackers infiltrate corporate networks, steal the data of their victims and encrypt their devices. The stolen data is then used to implement "double extortion" tactics, where cybercriminals threaten to release the stolen confidential files unless a ransom is paid.
In order to publish the stolen files, the attackers created a separate data leak site in the Tor networks called “Abyss-data”, which currently lists 14 victim organizations.
This week, MalwareHunterTeam security researchers discovered the Linux ransomware for Operation Abyss Locker and submitted it to BleepingComputer for analysis.
After studying the code of the executable file, the experts determined that the ransomware was created specifically for attacks on VMware ESXi servers, as it intentionally and purposefully shuts down these virtual machines. Subsequently, the malware freely encrypts virtual disks, snapshots, and metadata of infected ESXi instances. In addition to virtual machines, the ransomware also encrypts all other files on the device by adding the “.crypt” extension to their names.
When the encryption is completed, a file with the extension ".README_TO_RESTORE" appears in each folder of the device, which acts as a ransom note. This file contains information about what happened to the files, as well as a unique link to the Tor negotiation site of the attackers.
According to ransomware expert Michael Gillespie, Abyss Locker Linux ransomware is based on Hello Kitty, but uses ChaCha encryption. A symbiosis of several ransomware programs. It is not entirely clear whether the new ransomware is a simple rebrand of HelloKitty or if another hacker group simply gained access to the source code of its ransomware.
As enterprises move from private servers to virtual machines for better resource management, performance and disaster recovery, hackers are increasingly creating ransomware that targets these platforms.
Since VMware ESXi is one of the most popular virtualization platforms, almost every ransomware group has started releasing ransomware for Linux to cover a large percentage of potential victims. Other ransomware gangs using Linux ransomware targeting VMware ESXi include: Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.
Abyss Locker is a relatively new ransomware group that supposedly went live in March 2023. Like other similar groups, these hackers infiltrate corporate networks, steal the data of their victims and encrypt their devices. The stolen data is then used to implement "double extortion" tactics, where cybercriminals threaten to release the stolen confidential files unless a ransom is paid.
In order to publish the stolen files, the attackers created a separate data leak site in the Tor networks called “Abyss-data”, which currently lists 14 victim organizations.
This week, MalwareHunterTeam security researchers discovered the Linux ransomware for Operation Abyss Locker and submitted it to BleepingComputer for analysis.
After studying the code of the executable file, the experts determined that the ransomware was created specifically for attacks on VMware ESXi servers, as it intentionally and purposefully shuts down these virtual machines. Subsequently, the malware freely encrypts virtual disks, snapshots, and metadata of infected ESXi instances. In addition to virtual machines, the ransomware also encrypts all other files on the device by adding the “.crypt” extension to their names.
When the encryption is completed, a file with the extension ".README_TO_RESTORE" appears in each folder of the device, which acts as a ransom note. This file contains information about what happened to the files, as well as a unique link to the Tor negotiation site of the attackers.
According to ransomware expert Michael Gillespie, Abyss Locker Linux ransomware is based on Hello Kitty, but uses ChaCha encryption. A symbiosis of several ransomware programs. It is not entirely clear whether the new ransomware is a simple rebrand of HelloKitty or if another hacker group simply gained access to the source code of its ransomware.
