Skip to content

BlackMatter ransomware targetting VMware ESXi servers

  • by
  • 2 min read

The BlackMatter ransomware gang has developed a Linux ransomware encryptor targetting VMware ESXi virtual machine servers. The encryptor was found by MalwareHunterTeam.

ESXi’s rising popularity is causing more and more enterprises targetting ransomware to target the platform. The BlackMatter operation is believed to be a rebrand of Darkside, which made headlines for attacking and shutting down Colonial Pipeline in May.

In the News: Google unveils the Pixel 6 ready to take on the ‘ultra-high end’ segment 

Corporates in Danger?

VMware’s ESXi is one of the most popular virtual machine platforms among corporates. However, recently, almost every enterprise-targeting ransomware has started attacking the platform.

As reported by BleepingComputersecurity researchers found samples that indicated that the encryption routines used by Blackmatter are the same custom and unique ones used by Darkside.

They also received a Blackmatter’s Linux encryptor sample, which was reverse-engineered by Advanced Intel’s Vitali Kremez. The analysis indicated that the sample was specially designed to target VMware’s ESXi servers. 

The threat actors created a library named esxi_utils which is used to perform various operations such as encrypting files on ESXi servers. Each function serves a different command which can be issued by the esxcli command-line tool. These tasks include listing/stopping VMs and disabling firewalls, among others. 

Generally, before encrypting a drive, all malware designed for ESXi servers will attempt to shut the virtual machine down to prevent data from being corrupted as the ransomware goes about its encryption process. Once the device is shut down, files matching specific file extensions — often listed in the configuration included with the ransomware are encrypted. 

Apart from their widespread corporate use, targeting ESXi servers is also relatively efficient as attackers can encrypt numerous servers with a single command. 

In the News: Galaxy Tab S7 FE arrives in the US starting at $529.99

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: