Black Basta is now updated to encrypt VMware ESXi Virtual Machines (VMs) running on Linux servers. The updated version allows faster encryption of multiple servers with a single command.

The Linux version

According to a report from Uptycs, the new Black Basta variant uses the ChaCha20 algorithm to encrypt files and takes advantage of the multithreading of multiple processors to boost the encryption process.
  • The ransomware binary looks for the /vmfs/volumes where the virtual machines are saved on the compromised ESXi servers. If this folder does not exist on the target device, the ransomware exits.
  • It appends the .basta extension to the encrypted files' names and creates ransom notes readme[.]txt in every folder. The note has a link to the chat support panel and a unique ID for communication.
  • Further, researchers were unable to find command-line arguments to target other paths for encryption. This indicates that this encryptor is specifically developed to target ESXi servers only.

More about Black Basta 

Black Basta was first spotted in April and started targeting organizations around the world. 
  • The gang's ransom demands vary among victims and at least one of the victims received a demand of over $2 million for a decryptor to avoid their data being leaked online.
  • Recently, the ransomware group joined hands with QBot to move laterally across the victim's network.


Black Basta has joined the list of threats targeting Linux-based systems, specifically instances of VMware ESXi servers. Targeting these servers allows the threat to focus on large enterprises where this virtualization platform is commonly used. Thus, organizations are advised to stay protected by taking frequent backups of important data and deploying proper access control checks.
Cyware Publisher