A few days ago, a report highlighted the increasing affinity of ransomware groups toward the ESXi platform. The trend continues further, with a new RaaS operation added to the list. This operation, dubbed MichaelKors (formerly Qilin), has been encrypting Linux and VMware ESXi systems since April.
MichaelKors serves affiliates
According to Group-IB, MichaelKors provides the ransomware binaries to its affiliates, along with an admin panel, allowing them to efficiently target ESXi/Linux systems.
- According to researchers, affiliates connected to the Qilin RaaS group receive 80% to 85% of the ransom payments.
- The RaaS affiliate program offers a Rust-based payload, that can be customized to each victim.
- It allows changing the extension used for encrypted files, and the list of services and processes terminated by the malware.
The earlier variant of MichaelKors, also referred to as Qilin or Agenda, has been targeting Windows machines since August 2022.
Admin panel for affiliates
MichaelKors RaaS provides its affiliates with an admin panel to manage and control the attacks, which is divided into the following sections:
- Targets: This section provides information about the targeted organizations, the demanded ransom size, and specific customizations for each target.
- Blogs: Here affiliates are allowed to create a blog post regarding the targeted company, including the leaked information in case the ransom is not paid.
- Stuffers: This allows the affiliates to create accounts for the new members of their team, providing separate login credentials, and appropriate access permissions on the portal.
- Payments: Provide information about the balance amount earned by the affiliate, recent transactions, and fees to join the RaaS program.
- News, and FAQs: These are respectively used to provide news updates related to the ransomware partnerships, details about the usage of the malware, and more.
The common attack tactics used by MichaelKors include phishing emails having malicious links embedded in them.
Victims present globally
- Although the number of ESXi-specific victims is not known, the group is believed to have targeted 12 organizations globally so far.
- Targeted countries include U.S.A. and Canada (two victims each) and Colombia, Australia, France, Netherlands, Brazil, Serbia, Japan, and the U.K (one victim each).
Ending notes
The rapid increase in affinity toward ESXi is already a growing concern for the security community. Moreover, MichaelKors RaaS operation further reduces the skill barrier for novice attackers, reducing the efforts required to target ESXi-based machines. To mitigate the risks, ESXi administrators are suggested to avoid direct access to the ESXi hosts, or using hardened jump servers with MFA enabled to restrict the access.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/8705_shutterstock_1341253400.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_415615855.jpg)
