The BlackMatter ransomware gang has developed a Linux ransomware encryptor targetting VMware ESXi virtual machine servers. The encryptor was found by MalwareHunterTeam.
ESXi’s rising popularity is causing more and more enterprises targetting ransomware to target the platform. The BlackMatter operation is believed to be a rebrand of Darkside, which made headlines for attacking and shutting down Colonial Pipeline in May.
Corporates in Danger?
VMware’s ESXi is one of the most popular virtual machine platforms among corporates. However, recently, almost every enterprise-targeting ransomware has started attacking the platform.
As reported by BleepingComputer, security researchers found samples that indicated that the encryption routines used by Blackmatter are the same custom and unique ones used by Darkside.
They also received a Blackmatter’s Linux encryptor sample, which was reverse-engineered by Advanced Intel’s Vitali Kremez. The analysis indicated that the sample was specially designed to target VMware’s ESXi servers.
The threat actors created a library named esxi_utils which is used to perform various operations such as encrypting files on ESXi servers. Each function serves a different command which can be issued by the esxcli command-line tool. These tasks include listing/stopping VMs and disabling firewalls, among others.
Generally, before encrypting a drive, all malware designed for ESXi servers will attempt to shut the virtual machine down to prevent data from being corrupted as the ransomware goes about its encryption process. Once the device is shut down, files matching specific file extensions — often listed in the configuration included with the ransomware are encrypted.
Apart from their widespread corporate use, targeting ESXi servers is also relatively efficient as attackers can encrypt numerous servers with a single command.