A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date.
Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi encryptors to target these servers.
While many ransomware operations utilize the leaked Babuk source code to create their encryptors, a few, such as Qilin, create their own encryptors to target Linux servers.
Last month, security researcher MalwareHunterTeam found a Linux ELF64 encryptor for the Qilin ransomware gang and shared it with BleepingComputer to analyze.
While the encryptor can be used on Linux, FreeBSD, and VMware ESXi servers, it heavily focuses on encrypting virtual machines and deleting their snapshots.
Qilin's encryptor is built with an embedded configuration specifying the extension for encrypted files, the processes to terminate, the files to encrypt or exclude, and the folders to encrypt or exclude.
These command line arguments include options to enable a debug mode, perform a dry run without encrypting any files, or customize how virtual machines and their snapshots are encrypted.
Values are from 0 for FATAL up to 5 for DEBUG -no-df Ignore configured white-/black- lists of directories -no-ef Ignore configured white-/black- lists of extensions -no-ff Ignore configured white-/black- lists of files -no-proc-kill Disables process kill -R,-no-rename Disables rename of completed files -no-snap-rm Disables snapshot deletion -no-vm-kill Disables VM kill -p,-path
Specifies top-level directory for files search -password Password for startup -r,-rename Enables rename of completed files -t,-timer Enabled timed delay before encryption -w,-whitelist Use whitelists for inclusion instead of blacklists for exclusion -y,-yes Assume answer 'yes' on all questions.
When executed, the ransomware will determine if it is running in Linux, FreeBSD, or VMware ESXi server.
If it detects VMware ESXi, it will run the following esxcli and esxcfg-advcfg commands, which we have not seen in other ESXi encryptors in the past.
VMware expert Melissa Palmer told BleepingComputer that these commands were likely copied from VMware support bulletins to resolve a known VMware memory heap exhaustion bug and increase performance when executing ESXi commands on the server.
All targeted files will then be encrypted and have the configured extension appended to the file name.
In each folder, a ransom note named [extension] RECOVER.txt will be created that contains links to the ransomware gang's Tor negotiation site and the login credentials required to access the victim's chat page.
Like other enterprise-targeting ransomware operations, Qilin will breach a company's networks and steal data as they spread laterally to other systems.
When done collecting data and gaining server administrator credentials, the threat actors deploy the ransomware to encrypt all devices on the network.
The stolen data and the encrypted files are then used as leverage in double-extortion attacks to coerce a company into paying a ransom demand.
Since its launch, the ransomware operation has had a steady stream of victims but has seen increased activity towards the end of 2023.
Qilin ransomware claims attack on automotive giant Yanfeng.
VX-Underground malware collective framed by Phobos ransomware.
Microsoft shares temp fix for broken Windows Server 2022 VMs. MGM casino's ESXi servers allegedly encrypted in ransomware attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 03 Dec 2023 21:15:19 +0000