RansomHub Evolves To Attack Windows, ESXi, Linux and FreeBSD Operating Systems

With RansomHub actively exploiting zero-day vulnerabilities and recruiting displaced ALPHV/LockBit affiliates, organizations must strengthen endpoint security and ensure backup isolation to prevent potential attacks. RansomHub ransomware group leverages advanced evasion techniques, cross-platform encryption, and vulnerabilities in enterprise infrastructure. As this ransomware group done by expanding its arsenal to target Windows, VMware ESXi, Linux, and FreeBSD systems in global attacks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. RansomHub’s ransomware variants are tailored for diverse environments, featuring unique command-line arguments and encryption methods per platform. RansomHub affiliates exploit vulnerabilities such as CVE-2024-3400 (Palo Alto firewalls) and CVE-2021-42278/CVE-2020-1472 (Active Directory) for initial access. CISA urges organizations to immediately patch CVE-2024-3400 and audit remote services to mitigate the growing threat posed by RansomHub. The RansomHub ransomware group has rapidly emerged as one of the most prolific cybercrime syndicates of 2024–2025. Group-IB analysts have discovered that the group has compromised over 600 organizations, including healthcare, finance, and critical infrastructure sectors. The FreeBSD version, detected as Ransom.FreeBSD.INTERLOCK.THJBBBD, avoids critical directories (/boot, /etc) and appends .interlock to files. RansomHub’s affiliate panel, acquired from the defunct Knight ransomware, enables customizable ransom notes and leak site integrations. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The ESXi encryptor (C++-based) disrupts virtual machines using vim-cmd commands and encrypts VM files (.vmdk, .vmx) with ChaCha20 and Curve25519 algorithms. A flawed /tmp/app.pid check allows defenders to prevent encryption by writing -1 to the file, forcing an infinite loop.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 17 Feb 2025 13:25:05 +0000


Cyber News related to RansomHub Evolves To Attack Windows, ESXi, Linux and FreeBSD Operating Systems

RansomHub Evolves To Attack Windows, ESXi, Linux and FreeBSD Operating Systems - With RansomHub actively exploiting zero-day vulnerabilities and recruiting displaced ALPHV/LockBit affiliates, organizations must strengthen endpoint security and ensure backup isolation to prevent potential attacks. RansomHub ransomware group ...
3 months ago Cybersecuritynews.com CVE-2024-3400 CVE-2021-42278 CVE-2020-1472 LockBit Ransomhub
CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
11 months ago
EvilCorp & RansomHub Working Together to Attack Organizations Worldwide - The attack progression typically follows a pattern of initial SocGholish infection, deployment of the VIPERTUNNEL backdoor, lateral movement through the network, data exfiltration, and finally, RansomHub ransomware deployment. Microsoft first ...
1 month ago Cybersecuritynews.com Ransomhub LockBit
RansomHub Ransomware-as-a-service Facing Internal Conflict as Affiliates Lost Access to Chat Portals - Unlike many competitors, RansomHub implemented a business model that directed ransom payments either directly to affiliates or split them at the point of transaction, significantly reducing the risk of “exit-scamming” – a common problem ...
1 month ago Cybersecuritynews.com Dragonforce Black Basta Ransomhub
Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
2 years ago Hackread.com CVE-2021-21974
RansomHub’s EDRKillShifter Link With Other Well-Established Ransomware Gang’s - New Research - In May 2024, RansomHub introduced EDRKillShifter, a custom endpoint detection and response killer designed to terminate security products by abusing vulnerable drivers, effectively blinding defensive systems before encryption begins. ESET researchers ...
2 months ago Cybersecuritynews.com BianLian Medusa Ransomhub LockBit
VMware ESXi 8.0 Update 3e Released for Free, What's New! - This marks a significant policy reversal after Broadcom discontinued the free ESXi offering following its acquisition of VMware, a move that had pushed many users toward alternative virtualization platforms. Broadcom has officially reintroduced the ...
1 month ago Cybersecuritynews.com
Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
1 year ago Bleepingcomputer.com Qilin
Christie's confirms breach after RansomHub threatens to leak data - Christie's confirmed that it suffered a security incident earlier this month after the RansomHub extortion gang claimed responsibility and threatened to leak stolen data. Christie's is a prominent auction house with a history spanning 2.5 centuries. ...
1 year ago Bleepingcomputer.com Ransomhub
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
1 year ago Cisa.gov
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
1 year ago Cisa.gov
CVE-2009-4358 - freebsd-update in FreeBSD 8.0, 7.2, 7.1, 6.4, and 6.3 uses insecure permissions in its working directory (/var/db/freebsd-update by default), which allows local users to read copies of sensitive files after a (1) freebsd-update fetch (fetch) or (2) ...
15 years ago
Change Healthcare's New Ransomware Nightmare Goes From Bad to Worse - Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling what it claims is Americans' sensitive medical and financial records stolen from the health care giant. RansomHub claimed it had health care data on ...
1 year ago Wired.com Ransomhub
RansomHub Ransomware Group Compromised 84 Organization, New Groups Emerging - Cyfirma researchers noted a custom backdoor called “Betruger” being deployed in recent RansomHub operations, representing a significant evolution in ransomware tactics. Unlike some ransomware operations that rely heavily on publicly ...
1 month ago Cybersecuritynews.com Ransomhub
CVE-2008-5736 - Multiple unspecified vulnerabilities in FreeBSD 6 before 6.4-STABLE, 6.3 before 6.3-RELEASE-p7, 6.4 before 6.4-RELEASE-p1, 7.0 before 7.0-RELEASE-p7, 7.1 before 7.1-RC2, and 7 before 7.1-PRERELEASE allow local users to gain privileges via unknown ...
5 years ago
No Signs of Unpatched Vulnerabilities Discovered in ESXiArgs Ransomware Attacks - VMware reported on Monday that there is no proof that hackers are using an unknown security flaw, also known as a zero-day, in its software as part of a ransomware attack. Most reports suggest that outdated products with known vulnerabilities that ...
2 years ago Thehackernews.com CVE-2021-21974
Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com
Latest Information Security and Hacking Incidents - The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a ...
1 year ago Cysecurity.news Qilin
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
RansomHub ransomware uses new Betruger ‘multi-function’ backdoor - The malware's capabilities include a wide range of capabilities that overlap with features commonly found in malicious tools dropped before deploying ransomware payloads, including keylogging, network scanning, privilege escalation, credential ...
2 months ago Bleepingcomputer.com Ransomhub
RansomHouse gang automates VMware ESXi attacks with new MrAgent tool - The RansomHouse ransomware operation has created a new tool named 'MrAgent' that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. RansomHouse is a ransomware-as-a-service operation that emerged in December 2021 ...
1 year ago Bleepingcomputer.com LockBit
Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
2 years ago Trendmicro.com
Change Healthcare Hit By Cyber Extortion Again - Change Healthcare, a subsidiary of UnitedHealth Group, has been facing renewed extortion from cybercriminals just a month after paying a ransom to prevent the release of data stolen in a February 2024 ransomware attack. The attack, orchestrated by ...
1 year ago Infosecurity-magazine.com Ransomhub
Cyberattack on telecom giant Frontier claimed by RansomHub - An April cyberattack on a large telecommunications company has been claimed by a ransomware gang that is gaining steam as a cybercriminal operation. On Saturday, the RansomHub operation posted Frontier Communications to its leak site claiming to have ...
11 months ago Therecord.media Ransomhub
Embedded Linux IoT Security: Defending Against Cyber Threats - Embedded Linux IoT systems are now essential parts of many different kinds of products, from industrial machinery and smart appliances to medical equipment and automobile systems. As Embedded Linux is being used widely, it has attracted the attention ...
1 year ago Securityboulevard.com