REvil ransomware operators are active again and this time they are targeting Vmware ESXi virtual machines. In May, a researcher from Intel shared a forum post from a REvil operation where they spotted a Linux version of their encryptor that could even target NAS devices.
What has happened?
Recently, a security researcher from MalwareHunterTeam discovered a Linux version of REvil, aka Sodinokibi that targets ESXi servers. This is the first known occurrence when the Linux variant is publicly available.
According to Intel researchers, the new REvil Linux variant is an ELF64 executable that includes the same configuration options used by the more common Windows executable.
When executed on a server, an attacker behind this new Linux variant can pre-define the path to encrypt and enable a silent mode.
When executed on targeted ESXi servers, it runs an esxcli command-line tool to show all running ESXi virtual machines.
The esxcli command is used to close the VMDK files stored in the /vmfs/ folder. The main reason behind the closing of VMDK files stored in the /vmfs/ folder is that the REvil ransomware malware can encrypt the targeted files without them getting locked by ESXi.
Other ransomware opting for Linux variant
Other ransomware operations, such as RansomExx/Defray, Babuk, GoGoogle, DarkSide, Hellokitty, and Mespinoza, have also developed Linux encryptors to target ESXi virtual machines.
A month ago, DarkSide ransomware targeted both Windows and Linux platforms. Additionally, researchers discovered that the Linux variant was specifically targeted at ESXi servers.
By targeting virtual machines, REvil can encrypt multiple servers with just a single command. Moreover, several ransomware groups are actively developing or have already created a Linux-based version to target virtual machines. Therefore, experts recommend installing VMware (ESXi) in high-security mode and implementing additional layers of security.