Skip to content

BlackMatter ransomware targetting VMware ESXi servers

The BlackMatter ransomware gang has developed a Linux ransomware encryptor targetting VMware ESXi virtual machine servers. The encryptor was found by MalwareHunterTeam.

ESXi’s rising popularity is causing more and more enterprises targetting ransomware to target the platform. The BlackMatter operation is believed to be a rebrand of Darkside, which made headlines for attacking and shutting down Colonial Pipeline in May.

In the News: Google unveils the Pixel 6 ready to take on the ‘ultra-high end’ segment 

Corporates in Danger?

VMware’s ESXi is one of the most popular virtual machine platforms among corporates. However, recently, almost every enterprise-targeting ransomware has started attacking the platform.

As reported by BleepingComputersecurity researchers found samples that indicated that the encryption routines used by Blackmatter are the same custom and unique ones used by Darkside.

They also received a Blackmatter’s Linux encryptor sample, which was reverse-engineered by Advanced Intel’s Vitali Kremez. The analysis indicated that the sample was specially designed to target VMware’s ESXi servers. 

The threat actors created a library named esxi_utils which is used to perform various operations such as encrypting files on ESXi servers. Each function serves a different command which can be issued by the esxcli command-line tool. These tasks include listing/stopping VMs and disabling firewalls, among others. 

Generally, before encrypting a drive, all malware designed for ESXi servers will attempt to shut the virtual machine down to prevent data from being corrupted as the ransomware goes about its encryption process. Once the device is shut down, files matching specific file extensions — often listed in the configuration included with the ransomware are encrypted. 

Apart from their widespread corporate use, targeting ESXi servers is also relatively efficient as attackers can encrypt numerous servers with a single command. 

In the News: Galaxy Tab S7 FE arrives in the US starting at $529.99

Hello There!

If you like what you read, please support our publication by sharing it with your friends, family and colleagues. We're an ad-supported publication. So, if you're running an Adblocker, we humbly request you to whitelist us.

Share on facebook
Share on whatsapp
Share on twitter
Share on reddit
Share on linkedin
Share on pocket
Share on pinterest
Share on telegram
Share on stumbleupon
Share on digg
Share on tumblr
Share on email
Share on skype
Share on xing
Share on vk
Share on odnoklassniki
Share on mix