World’s richest hacker group now focusing on Linux and NAS devices with new ransomware variant

A recent report notes that REvil ransomware operators are now employing a Linux encryption tool to start attacking virtual machines like VMware ESXi. This could be an especially prolific time for threat actors, as this company is migrating to virtual deployments for efficient backup management, device management, and other tasks.

A few weeks ago a report from Advanced Intel included a post taken from an REvil forum in which operators confirmed the release of a version of their functional encryption tool for Linux systems and some network attached storage (NAS) deployments.

Later a group of researchers found a sample of REvil for Linux that appeared to be directed against ESXi servers. Advanced Intel experts analyzed this malware and concluded that this is an ELF64 executable that includes the same configuration options as the version of REvil for Windows systems.

Apparently this is the first time that a variant of this malware is detected for Linux systems; when running, threat actors can specify a path to encrypt files on the system and enable a silent mode, the report says.

When running on ESXi servers, the esxcli command-line tool will run to list all running ESXi virtual machines for completion.

The command used by the malware is used to close the virtual machine disk (VMDK) files stored in the /vmfs/ folder so that REvil can close the files without ESXi blocking these attempts. If a virtual machine does not close properly before encrypting its file, it could lead to corruption of the compromised data.

Finally, the reports mention that other ransomware groups such as Babuk, RansomExx, DarkSide or HelloKitty could be developing their own encryption tools for Linux systems to attack ESXi implementations, since migrating to virtual machines is a very common practice nowadays.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.