Black Basta ransomware now supports encrypting VMware ESXi servers

Pierluigi Paganini June 08, 2022

Black Basta ransomware gang implemented a new feature to encrypt VMware ESXi virtual machines (VMs) running on Linux servers.

The Black Basta ransomware gang now supports encryption of VMware ESXi virtual machines (VMs) running on Linux servers.

Researchers from Uptycs first reported the discovery of the new Black Basta ransomware variant that supports encryption of VMWare ESXi servers.

The move aims at expanding potential targets, the support for VMware ESXi was already implemented by many ransomware families, including LockBitHelloKittyBlackMatter, and REvil.

Black Basta has been active since April 2022, like other ransomware operations, it implements a double-extortion attack model.  

The ransomware will append the .basta extension to the encrypted filenames and create ransom notes named readme.txt in each folder.

black basta

Researchers from NCC Group recently spotted a new partnership in the threat landscape between the Black Basta ransomware group and the QBot malware operation. NCC Group researchers discovered the new partnership while investigating a recent incident, unlike past collaborations Black Basta gang is using QBot to spread laterally throughout the target network.

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit:

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Black Basta ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment