RansomHub, a ransomware-as-a-service (RaaS) operation launched in February 2024, has introduced a new Linux encryptor specifically designed for VMware ESXi environments. This latest variant, first observed in April 2024, is a C++ program derived from the now-defunct Knight ransomware. Unlike the Windows and Linux versions of RansomHub, which are written in Go, the ESXi encryptor supports various command-line options for executing encryption tasks and managing virtual machines.
The ESXi variant features commands like ‘vim-cmd vmsvc/getallvms’ for listing VMs and ‘esxcli vm process kill’ for shutting them down. It also disables critical services to hinder logging and can delete itself post-execution to avoid detection. The encryption uses ChaCha20 with Curve25519 and targets ESXi-related files with intermittent encryption, affecting only the first megabyte of larger files for performance reasons.
Recorded Future analysts discovered a flaw in the ESXi encryptor that could be exploited to neutralize the ransomware. By creating a file named ‘/tmp/app.pid’ with a process ID of ‘-1,’ defenders can put the ransomware into an endless loop, preventing it from encrypting files. This vulnerability offers a temporary defense against the ransomware until the issue is patched by the threat actors.
The introduction of this specialized ESXi encryptor highlights the increasing sophistication of ransomware targeting virtualized environments. As enterprises continue to adopt virtual machines for better resource management, ransomware groups are developing tailored tools to exploit these systems. The RansomHub ESXi encryptor’s capabilities and its bug reveal ongoing challenges in defending against evolving cyber threats.
Reference:
