Pierluigi Paganini June 29, 2021

The REvil ransomware operators added a Linux encryptor to their arsenal to encrypt Vmware ESXi virtual machines.

The REvil ransomware operators are now using a Linux encryptor to encrypts Vmware ESXi virtual machines which are widely adopted by enterprises.

The availability of the Linux encryptor was announced by the REvil gang in May, a circumstance that suggests the group is expanding its operation.

Now MalwareHunterTeam researchers spotted a Linux version of the REvil ransomware that also targets ESXi servers, BleepingComputer reported.

The popular malware researcher Vitali Kremez explained that the new variant is an ELF64 executable with the same configuration options as the Windows version.

“Kremez states that this is the first known time the Linux variant has been publicly available since it was released.” states BleepingComputer.

Upon executing on ESXi servers, the Linux version of the ransomware will run the esxcli command line tool to list all running ESXi virtual machines and close the virtual machine disk (VMDK) files stored in the /vmfs/ folder. Then the REvil ransomware will encrypt the files.

esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk -F ""*,"*" '{system("esxcli vm process kill --type=force --world-id=" $1)}'

Indicators of Compromise (IoC) for REvil Linux encryptor have been published by security expert Jaime Blasco on Alienvault’s Open Threat Exchange.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Linux)

[adrotate banner=”5″]

[adrotate banner=”13″]