VMware ESXi is a popular hypervisor used to manage virtual machines. ESXi is a target for ransomware attacks because it can be used to encrypt all of the virtual machines on a server.
Several Linux Ransomware versions targeting VMware ESXI. Among the most well-known are:
1. RansomExx ransomware
First appearance: July 2020
Targeting Sectors:
- Brazil’s government networks
- Texas Department of Transportation (TxDOT)
- Business technology giant Konica Minolta
- Leading U.S. laser developer IPG Photonics
- Government software provider Tyler Technologies
Malware known as ransomExx ransomware encrypts a victim’s files and requests a ransom to unlock them. Known as one of the most advanced families of ransomware currently in circulation, it has targeted several well-known companies, such as Acer, Travelex, and Konica Minolta.
Source: https://www.bleepingcomputer.com/news/security/ransomexx-ransomware-also-encrypts-linux-systems/
2. HelloKitty ransomware
First appearance: November 2020
Targeting Sectors:
- Healthcare
- Finance
- Government
- Manufacturing
- Retail
Malware known as “HelloKitty ransomware” encrypts a victim’s files and requests a fee to unlock them. The most common ways that the HelloKitty ransomware spreads are via phishing emails and software flaws. After installation, it searches the victim’s computer for files—such as papers, images, and videos—that are significant to them.
When it locates these files, it will use a powerful encryption method to encrypt them. A ransom note explaining how to pay the ransom will subsequently be given to the victim. The size of the victim’s company and the worth of the encrypted data usually determine how much of a ransom is demanded.
3. REvil ransomware
First appearance: April 2019
The ransomware-as-a-service (RaaS) operation known as REvil ransomware, or Sodinokibi, was a well-known malware that operated from at least April 2019 until it was stopped in January 2022.
Large organizations were usually the target of REvil’s attacks, and the group demanded exorbitant ransoms in order to unlock the encrypted data. If the ransom was not paid, REvil in certain instances also threatened to release the stolen data.
4. BlackMatter ransomware
First appearance: July 2020
A particular kind of malware known as “BlackMatter ransomware” encrypts a victim’s files and requests a ransom to unlock them. Initially identified in July 2021, it has subsequently been employed to target other establishments, including those with headquarters in the United States. DarkSide, a ransomware organization that operated in 2021, is thought to have been rebranded as BlackMatter.
5. Lockbit
First appearance: January 2021
LockBit ransomware is a type of malware that encrypts a victim’s files and demands a ransom payment to decrypt them. One of the most advanced ransomware families now in circulation is LockBit, which has been used to demand some of the largest ransoms of any ransomware group.
6. Black Basta
First appearance: 2022
The ransomware-as-a-service (RaaS) group Black Basta first surfaced in the beginning of 2022. It has rapidly grown into one of the busiest and most effective RaaS groups, focusing on a variety of establishments such as government offices, healthcare facilities, and educational institutions.
Black Basta is well-known for using double extortion and complex attack routes. The ransomware organization encrypts the victim’s files in a double extortion attack and then demands a ransom to unlock them. In addition, if the ransom is not paid, the group threatens to release the victim’s stolen data.
7. Akira ransomware
First appearance: March 2023
Targeting Sectors:
- Education
- Finance
- Real estate
- Manufacturing
- Consulting
In March 2023, a brand-new kind of ransomware called Akira appeared. It is known to target corporate networks across the globe, encrypting important documents and requesting enormous sums of money in order to gain the information and prevent it from being published online.
Usually, spear-phishing operations or brute-force attacks on Remote Desktop Protocol (RDP) ports are how the Akira ransomware enters target networks. Once inside the network, the ransomware encrypts all of the files on every machine and propagates to every other computer.
8. Monti locker
First appearance: June 2022
Targeting Sectors:
- Legal
- Financial
- Healthcare
A new variant of the Monti ransomware that specifically targets VMware ESXi systems is called Monti locker. The data on the ESXi host and all of the virtual machines (VMs) that run on it are encrypted by this advanced ransomware.
Typically, misconfigurations or software flaws allow the Monti locker ransomware to infiltrate ESXi servers. Once inside, the ransomware infects every virtual machine (VM) that is executing on the server.