Brother
Professional
- Messages
- 2,590
- Reaction score
- 500
- Points
- 83
The high-tech ELF64 cryptographer poses a new challenge to the security of virtual machines.
Security researchers have discovered a new type of cryptographer from the Qilin group that targets VMware ESXi servers. This cryptographer is considered one of the most advanced and customizable tools for Linux.
Companies move to use VMware ESXi virtual machines, which provide efficient allocation of CPU, memory, and storage resources, has made them a very attractive target for cybercriminals. Almost all ransomware groups have long created specialized cryptographers for this type of device.
MalwareHunterTeam researchers discovered and analyzed Qilin's ELF64 Linux cryptographer. As it turned out, it is focused on encrypting virtual machines and deleting their snapshots (complete snapshots of the current state of machines).
Key features of ELF64 discovered by experts:
The cryptographer detects whether it is running on a Linux, FreeBSD, or VMware ESXi server. If VMware ESXi is detected, use the commands "esxcli" and "esxcfg-advcfg", which were not previously found in other cryptographers.
After the encryption of virtual machines is completed, a ransom note is created containing links to the Qilin Group's Tor negotiation site, as well as unique login details for the chat page. The ransom amounts observed by security experts range from 25,000 to several million dollars.
Operation Qilin was launched in August 2022 under the name "Agenda", but was renamed Qilin in September. The group infiltrates company networks, steals data, spreads across systems, and encrypts devices on the network. It then uses the stolen data and encrypted files in double ransomware attacks to force companies to pay a ransom.
Security researchers have discovered a new type of cryptographer from the Qilin group that targets VMware ESXi servers. This cryptographer is considered one of the most advanced and customizable tools for Linux.
Companies move to use VMware ESXi virtual machines, which provide efficient allocation of CPU, memory, and storage resources, has made them a very attractive target for cybercriminals. Almost all ransomware groups have long created specialized cryptographers for this type of device.
MalwareHunterTeam researchers discovered and analyzed Qilin's ELF64 Linux cryptographer. As it turned out, it is focused on encrypting virtual machines and deleting their snapshots (complete snapshots of the current state of machines).
Key features of ELF64 discovered by experts:
- ability to configure via the command line, allowing you to change the encryption parameters;
- exceptions and criteria for encryption purposes, including processes, directories, files, and file extensions;
- command-line options include debugging mode, a "dry" run without file encryption, and settings for encrypting virtual machines and their snapshots.
The cryptographer detects whether it is running on a Linux, FreeBSD, or VMware ESXi server. If VMware ESXi is detected, use the commands "esxcli" and "esxcfg-advcfg", which were not previously found in other cryptographers.
After the encryption of virtual machines is completed, a ransom note is created containing links to the Qilin Group's Tor negotiation site, as well as unique login details for the chat page. The ransom amounts observed by security experts range from 25,000 to several million dollars.
Operation Qilin was launched in August 2022 under the name "Agenda", but was renamed Qilin in September. The group infiltrates company networks, steals data, spreads across systems, and encrypts devices on the network. It then uses the stolen data and encrypted files in double ransomware attacks to force companies to pay a ransom.
