The RansomHub ransomware operation is now employing a Linux encryptor specifically designed to target VMware ESXi environments during corporate attacks.
Launched in February 2024, RansomHub operates as a ransomware-as-a-service (RaaS) with connections to ALPHV/BlackCat and Knight ransomware. The group has claimed over 45 victims across 18 countries.
Since early May, both Windows and Linux RansomHub encryptors have been confirmed. Recently, Recorded Future reported that the group also possesses an ESXi variant, first observed in April 2024. Unlike the Windows and Linux versions written in Go, the ESXi encryptor is a C++ program, likely evolved from the now-defunct Knight ransomware.
Interestingly, Recorded Future identified a bug in the ESXi variant that defenders can exploit to cause the encryptor to enter an endless loop, thereby evading encryption.
Enterprises widely use virtual machines to manage their servers due to their efficient CPU, memory, and storage resource management. Consequently, many ransomware gangs have developed dedicated VMware ESXi encryptors to target these environments. RansomHub's ESXi encryptor supports various command-line options, including setting execution delays, specifying VMs to exclude from encryption, and targeting specific directory paths.
The encryptor features ESXi-specific commands such as 'vim-cmd vmsvc/getallvms' and 'vim-cmd vmsvc/snapshot.removeall' for snapshot deletion, and 'esxcli vm process kill' for shutting down VMs. It also disables syslog and other critical services to hinder logging and can delete itself after execution to evade detection and analysis.
The encryption scheme uses ChaCha20 with Curve25519 for key generation and targets ESXi-related files like '.vmdk,' '.vmx,' and '.vmsn' with intermittent encryption for faster performance. Specifically, it encrypts only the first megabyte of files larger than 1MB, repeating encryption blocks every 11MB. A 113-byte footer is added to each encrypted file containing the victim's public key, ChaCha20 nonce, and chunks count. The ransom note is written to '/etc/motd' (Message of the Day) and '/usr/lib/vmware/hostd/docroot/ui/index.html' to make it visible on login screens and web interfaces.
Recorded Future analysts discovered that the ESXi variant uses a file named '/tmp/app.pid' to check for an existing instance. If this file contains a process ID, the ransomware attempts to kill that process and then exits. However, if the file contains '-1,' the ransomware enters an infinite loop, trying to kill a non-existent process, thus neutralizing itself.
This means organizations can create a /tmp/app.pid file containing '-1' to protect against the RansomHub ESXi variant, at least until the RaaS operators fix the bug and release updated versions for their affiliates.
