The RansomHub ransomware has added a Linux encryptor targeting VMware ESXi environments. Initially emerging in February 2024, RansomHub has quickly risen to become the fourth most prolific ransomware operator in recent months. Symantec experts suspect it is a variant of the Knight ransomware, which targeted multiple platforms before being shut down in February 2024. The Linux and Windows versions of RansomHub are written in Go, while the new ESXi version is in C+. RansomHub has attacked 45 victims in 18 countries, primarily in the IT sector, using tactics like cloud storage backups and exploiting misconfigured Amazon S3 instances.
Researchers from Insikt Group found a bug in the ESXi version of RansomHub, where changing a file’s contents to -1 can prevent encryption and send the malware into an endless loop. Insikt Group has developed YARA and Sigma rules to detect RansomHub files and advises analysts to check endpoint logs for specific commands used by the ransomware, such as stopping virtual machines, deleting shadow copies, and halting the Internet Information Service. The group behind RansomHub may be targeting companies using virtualized environments, expanding their potential victim pool.
Article Source
https://securityaffairs.com/164779/cyber-crime/ransomhub-ransomware-esxi-encryptor.html?amp