The ransomware gang behind CD Projekt Red’s attack uses a Linux variant that targets VMware’s ESXi virtual machine platform for maximum damage.
With the increase in virtual machines for easier backup and resource management, cyber attackers are developing new tactics to create Linux encryptors targeting these servers. Last week, MalwareHunterTeam found several Linux ELF-64 versions of the Hello Kitty ransomware targeting VMware ESXi servers and virtual machines (VMs) running on them.
Force to shutdown virtual machines
VMware ESXi is one of the most popular enterprise virtual machine platforms; there has been an increasing number of ransomware releasing Linux encryptors targeting this platform. VMware ESXi, formerly known as ESX, has its own custom kernel. However, it is capable of running ELF-64 Linux executables.
Although it has been known that HelloKitty uses a Linux encryptor, this is the first sample that MalwareHunterTeam’s researchers have publicly discovered. They shared examples of the ransomware with BleepingComputer. With the ransomware, the attackers attempt to shut down running virtual machines.
Encrypting virtual machines with a single command
When shutting down the virtual machines, the ransomware will first try a graceful shutdown using the ‘soft’ command. If the virtual machine is still running on, it will try an immediate shutdown of virtual machines using the ‘hard’ command. Finally, if virtual machines are still running, the malware will use the ‘force’ command to shut down any running VMs forcefully.
With the shutting down of the virtual machine, the ransomware will begin encrypting. vmdk (virtual hard disk), .vmsd (metadata and snapshot information), and .vmsn (contains the active state of the VM) files. This method allows a ransomware gang to encrypt many virtual machines with a single command.
What is HelloKitty ransomware?
HelloKitty is a ransomware group that has been active since November 2020. They stole the source code from the video game company “CD Projekt RED” for their games and uploaded them to their leak site.
Source: Cloud7