The RansomHub ransomware operation, launched in February 2024, targets VMware ESXi environments in enterprise attacks. It is a ransomware-as-a-service (RaaS) operation linked to other ransomware groups and has affected over 45 victims in 18 countries.
A specialized ESXi variant of RansomHub was discovered by Recorded Future in April 2024, showing overlaps with the now-defunct Knight ransomware. Despite having a flaw that allows defenders to bypass encryption by putting it into an infinite loop, the ESXi encryptor provides command-line options for configuration and specific commands for targeting VMs and directories.
The encryption scheme used by RansomHub’s ESXi variant includes ChaCha20 with Curve25519 for key generation and intermittent encryption to optimize performance. It encrypts only specific ESXi-related files and adds a footer with key information to each encrypted file.
The ransom note is placed in specific directories for visibility on login screens and web interfaces. Recorded Future analysts found that the ESXi variant can be neutralized by creating a specific file to fool the ransomware into an endless loop, offering organizations a temporary defense until the flaw is addressed by the RansomHub operators.
As ransomware operations increasingly target virtual machines like VMware ESXi, specialized encryptors have become common among threat actors. RansomHub’s ESXi encryptor includes features to hinder logging, speed up encryption process, and ensure its own deletion post-execution to avoid detection.
In conclusion, the discovery of the RansomHub ESXi variant highlights the evolving tactics of ransomware gangs to target enterprise environments with specialized encryptors. Organizations can take advantage of vulnerabilities like the infinite loop flaw to protect against such attacks until mitigations are implemented by the threat actors.
Article Source
https://www.bleepingcomputer.com/news/security/linux-version-of-ransomhub-ransomware-targets-VMware-esxi-vms/amp/
