RansomHub Evolves To Attack Windows, ESXi, Linux and FreeBSD Operating Systems

With RansomHub actively exploiting zero-day vulnerabilities and recruiting displaced ALPHV/LockBit affiliates, organizations must strengthen endpoint security and ensure backup isolation to prevent potential attacks. RansomHub ransomware group leverages advanced evasion techniques, cross-platform encryption, and vulnerabilities in enterprise infrastructure. As this ransomware group done by expanding its arsenal to target Windows, VMware ESXi, Linux, and FreeBSD systems in global attacks. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. RansomHub’s ransomware variants are tailored for diverse environments, featuring unique command-line arguments and encryption methods per platform. RansomHub affiliates exploit vulnerabilities such as CVE-2024-3400 (Palo Alto firewalls) and CVE-2021-42278/CVE-2020-1472 (Active Directory) for initial access. CISA urges organizations to immediately patch CVE-2024-3400 and audit remote services to mitigate the growing threat posed by RansomHub. The RansomHub ransomware group has rapidly emerged as one of the most prolific cybercrime syndicates of 2024–2025. Group-IB analysts have discovered that the group has compromised over 600 organizations, including healthcare, finance, and critical infrastructure sectors. The FreeBSD version, detected as Ransom.FreeBSD.INTERLOCK.THJBBBD, avoids critical directories (/boot, /etc) and appends .interlock to files. RansomHub’s affiliate panel, acquired from the defunct Knight ransomware, enables customizable ransom notes and leak site integrations. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The ESXi encryptor (C++-based) disrupts virtual machines using vim-cmd commands and encrypts VM files (.vmdk, .vmx) with ChaCha20 and Curve25519 algorithms. A flawed /tmp/app.pid check allows defenders to prevent encryption by writing -1 to the file, forcing an infinite loop.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 17 Feb 2025 13:25:05 +0000

Cyber News related to RansomHub Evolves To Attack Windows, ESXi, Linux and FreeBSD Operating Systems

RansomHub Evolves To Attack Windows, ESXi, Linux and FreeBSD Operating Systems - With RansomHub actively exploiting zero-day vulnerabilities and recruiting displaced ALPHV/LockBit affiliates, organizations must strengthen endpoint security and ensure backup isolation to prevent potential attacks. RansomHub ransomware group ...
2 days ago Cybersecuritynews.com

CVE-2024-36886 - In the Linux kernel, the following vulnerability has been resolved: ...
7 months ago

Christie's confirms breach after RansomHub threatens to leak data - Christie's confirmed that it suffered a security incident earlier this month after the RansomHub extortion gang claimed responsibility and threatened to leak stolen data. Christie's is a prominent auction house with a history spanning 2.5 centuries. ...
8 months ago Bleepingcomputer.com

Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
2 years ago Hackread.com

Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
1 year ago Bleepingcomputer.com

Change Healthcare's New Ransomware Nightmare Goes From Bad to Worse - Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling what it claims is Americans' sensitive medical and financial records stolen from the health care giant. RansomHub claimed it had health care data on ...
10 months ago Wired.com

Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
11 months ago Cisa.gov

Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
11 months ago Cisa.gov

CVE-2009-4358 - freebsd-update in FreeBSD 8.0, 7.2, 7.1, 6.4, and 6.3 uses insecure permissions in its working directory (/var/db/freebsd-update by default), which allows local users to read copies of sensitive files after a (1) freebsd-update fetch (fetch) or (2) ...
15 years ago

CVE-2008-5736 - Multiple unspecified vulnerabilities in FreeBSD 6 before 6.4-STABLE, 6.3 before 6.3-RELEASE-p7, 6.4 before 6.4-RELEASE-p1, 7.0 before 7.0-RELEASE-p7, 7.1 before 7.1-RC2, and 7 before 7.1-PRERELEASE allow local users to gain privileges via unknown ...
5 years ago

No Signs of Unpatched Vulnerabilities Discovered in ESXiArgs Ransomware Attacks - VMware reported on Monday that there is no proof that hackers are using an unknown security flaw, also known as a zero-day, in its software as part of a ransomware attack. Most reports suggest that outdated products with known vulnerabilities that ...
2 years ago Thehackernews.com

Change Healthcare Hit By Cyber Extortion Again - Change Healthcare, a subsidiary of UnitedHealth Group, has been facing renewed extortion from cybercriminals just a month after paying a ransom to prevent the release of data stolen in a February 2024 ransomware attack. The attack, orchestrated by ...
10 months ago Infosecurity-magazine.com

Latest Information Security and Hacking Incidents - The ransomware strain Qilin has surfaced as a new danger to computers using VMware ESXi, which is a recent development in the cryptocurrency space. Concerned observers have expressed concern over the fact that this Qilin Linux version exhibits a ...
1 year ago Cysecurity.news

Cyberattack on telecom giant Frontier claimed by RansomHub - An April cyberattack on a large telecommunications company has been claimed by a ransomware gang that is gaining steam as a cybercriminal operation. On Saturday, the RansomHub operation posted Frontier Communications to its leak site claiming to have ...
7 months ago Therecord.media

RansomHouse gang automates VMware ESXi attacks with new MrAgent tool - The RansomHouse ransomware operation has created a new tool named 'MrAgent' that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors. RansomHouse is a ransomware-as-a-service operation that emerged in December 2021 ...
1 year ago Bleepingcomputer.com

Windows 10 Extended Security Updates Promised for Small Businesses and Home Users - Already common for enterprises, for the first time, individuals will also get the option to pay for extended security updates for a Windows operating system that's out of support. Windows 10 will stop getting free updates, including security fixes, ...
1 year ago Techrepublic.com

Attack Vector vs Attack Surface: The Subtle Difference - Cybersecurity discussions about "Attack vectors" and "Attack surfaces" sometimes use these two terms interchangeably. This article guides you through the distinctions between attack vectors and attack surfaces to help you better understand the two ...
2 years ago Trendmicro.com

A largescale ransomware attack is targeting VMware ESXi servers around the world - Administrators, hosting providers, and the French Computer Emergency Response Team have warned that attackers are actively targeting VMware ESXi servers that have not been patched against a two-year-old remote code execution vulnerability to deploy ...
2 years ago Bleepingcomputer.com

Embedded Linux IoT Security: Defending Against Cyber Threats - Embedded Linux IoT systems are now essential parts of many different kinds of products, from industrial machinery and smart appliances to medical equipment and automobile systems. As Embedded Linux is being used widely, it has attracted the attention ...
1 year ago Securityboulevard.com

The internet is already scary enough without April Fool's jokes - Thankfully in the security world, I think we've all gotten the hint at this point that we can't just post whatever we want on April 1 of each calendar year and expect people to get the joke. I've put my guard down so much at this point that I ...
10 months ago Blog.talosintelligence.com

IT and OT cybersecurity: A holistic approach - In comparison, OT refers to the specialized systems that control physical processes and industrial operations. OT Technologies include industrial control systems, SCADA systems and programmable logic controllers that directly control physical ...
1 year ago Securityintelligence.com

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com

The Embedded Systems and The Internet of Things - The Internet of Things is a quite new concept dealing with the devices being connected to each other and communicating through the web environment. This concept is gaining its popularity amongst the embedded systems that exist - let's say - 10 or ...
1 year ago Cyberdefensemagazine.com

BlackLock Emerging As a Major Player In RaaS With Variants for Windows, VMWare ESXi, & Linux Environments - Since its emergence in March 2024, the BlackLock ransomware operation (aka El Dorado) has executed a meteoric rise through the ransomware-as-a-service (RaaS) ranks, leveraging custom-built malware and sophisticated anti-detection techniques to ...
16 hours ago Cybersecuritynews.com

Any.RUN Sandbox Now Expanded to Analyze Linux Malware - The ANY.RUN sandbox has now been updated with support for Linux, further enhancing its ability to provide an isolated and secure environment for malware analysis and threat hunting. ANY.RUN allows malware analysts, SOC members, and DFIR team members ...
1 year ago Gbhackers.com

Latest Cyber News

Fedora Linux Kernel Vulnerability Let Attackers Gain Access to Sensitive Data - 7 minutes ago
Multiple NVIDIA CUDA Toolkit Vulnerabilities Let Attackers Trigger DoS - 22 minutes ago
Microsoft Power Pages 0-Day Vulnerability Exploited in the Wild - 48 minutes ago
APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware - 48 minutes ago
Microsoft Admin Guide to Block & Remove Apps on Endpoints - 1 hour ago
AWS Key Hunter - A Free Automated Tool to Detect Exposed AWS keys - 1 hour ago
Symantec Diagnostic Tool Vulnerability Let Attackers Escalate Privileges - 1 hour ago
NSA Added New Features to Supercharge Ghidra 11.3 - 2 hours ago
New NailaoLocker ransomware used against EU healthcare orgs - 2 hours ago
Ghost Ransomware Compromised Organisations Across 70+ Countries - 2 hours ago
Windows Disk Cleanup Tool Vulnerability Exploited to Gain SYSTEM Privileges - 6 hours ago
Citrix NetScaler Vulnerability Allows Unauthorized Command Execution - 8 hours ago
Australian Infrastructure Faces 'Acute' Foreign Threats - 8 hours ago
Critical Microsoft Bing Vulnerability Let Attackers Execute Code Remotely - 9 hours ago
Hackers Weaponize Jarsigner App To Execute XLoader Malware - 9 hours ago
New Snake Keylogger Attacking Chrome, Edge, and Firefox Users - 10 hours ago
Insight Partners, VC Giant, Falls to Social Engineering - 11 hours ago
Russian Groups Target Signal Messenger in Spy Campaign - 12 hours ago
CVE-2023-51303 - 13 hours ago
CVE-2025-25196 - 13 hours ago

Cyber Trends (last 7 days)

Okta - 1 year ago
23andMe - 1 year ago
Kimsuky - 1 year ago
LogoFAIL - 1 year ago
Gh0st rat - 1 year ago

Trending Cyber News (last 7 days)

Fedora Linux Kernel Vulnerability Let Attackers Gain Access to Sensitive Data - 7 minutes ago
Multiple NVIDIA CUDA Toolkit Vulnerabilities Let Attackers Trigger DoS - 22 minutes ago
APT-C-28 Group Launched New Cyber Attack With Fileless RokRat Malware - 48 minutes ago
Microsoft Power Pages 0-Day Vulnerability Exploited in the Wild - 48 minutes ago
Microsoft Admin Guide to Block & Remove Apps on Endpoints - 1 hour ago
AWS Key Hunter - A Free Automated Tool to Detect Exposed AWS keys - 1 hour ago
Symantec Diagnostic Tool Vulnerability Let Attackers Escalate Privileges - 1 hour ago
NSA Added New Features to Supercharge Ghidra 11.3 - 2 hours ago
New NailaoLocker ransomware used against EU healthcare orgs - 2 hours ago
Ghost Ransomware Compromised Organisations Across 70+ Countries - 2 hours ago
Content Credentials Show Promise, But Ecosystem Still Young - 14 hours ago
Windows Disk Cleanup Tool Vulnerability Exploited to Gain SYSTEM Privileges - 6 hours ago
Citrix NetScaler Vulnerability Allows Unauthorized Command Execution - 8 hours ago
Australian Infrastructure Faces 'Acute' Foreign Threats - 8 hours ago
Critical Microsoft Bing Vulnerability Let Attackers Execute Code Remotely - 9 hours ago
Hackers Weaponize Jarsigner App To Execute XLoader Malware - 9 hours ago
New Snake Keylogger Attacking Chrome, Edge, and Firefox Users - 10 hours ago
CVE-2025-26466 - 2 days ago
CVE-2024-45775 - 1 day ago
CVE-2024-45776 - 1 day ago