A recent report by BleepingComputer has revealed that a new Linux encryptor was used in attacks against VMware ESXi environments as part of the ransomware-as-a-service operation known as RansomHub. This encryptor is believed to be based on the discontinued Knight ransomware and offers various features such as decryption of configurations, execution delays, progress information logging, snapshot removal, and virtual machine shutdown.
Researchers from Recorded Future’s Insikt Group noted that RansomHub’s Linux encryptor evaded detection by disabling critical services like Syslog and enabling self-deletion. The encryptor employs encryption technologies like ChaCha20 and Curve25519 to generate public and private keys. To prevent attacks on VMware ESXi environments, organizations were advised to add “-1” to their systems’ /tmp/app.pid file, triggering an infinite loop of terminating a nonexistent process.
These findings follow a previous report on RansomHub’s encryptor for Windows and Linux, shedding light on the group’s tactics and capabilities. The use of advanced encryption technologies and evasion techniques demonstrates the group’s sophistication and dedication to carrying out successful attacks on vulnerable systems.
As ransomware attacks continue to evolve and target critical infrastructure like VMware ESXi environments, organizations must remain vigilant and take proactive measures to protect their systems. Implementing security measures like adding specific commands to system files can help neutralize threats and prevent unauthorized access to sensitive data.
Overall, the report highlights the growing threat of ransomware attacks and the need for robust cybersecurity defenses to mitigate the risk of data breaches and financial losses. By understanding the tactics and techniques used by threat actors like RansomHub, organizations can better prepare themselves to defend against emerging cyber threats and safeguard their valuable assets from exploitation.
Article Source
https://www.scmagazine.com/brief/VMware-esxi-subjected-to-attacks-with-ransomhub-for-linux