Organizations running ESXi environments that thought they might have somehow escaped the attention of REvil ransomware operators are on the brink of a rude awakening – the ransomware-as-a-service repertoire now includes a version of Linux that targets directly VMware ESXi virtual machines, according to researchers at MalwareHunterTeam.
Vitali Kremez from Advanced Intel examined the results and tweeted some of the features of the Linux version of REvil:
- Uses the CLI component “esxcli” to terminate VMs using the world ID
- Partner “sub”: “7864” | usual structure
- GCC: (Ubuntu 4.8.4-2ubuntu1 ~ 14.04.4) 4.8.4
This addition to the REvil arsenal makes the already formidable, dangerous, and increasingly popular ransomware even more dangerous.
“The REvil update to support Linux expands your attack vector enormously; with a set of servers either Linux or Linux based they are no longer limited to a single OS target and as such can easily migrate to others, ”said Shawn …