The RansomHub ransomware operation, active since February 2024, is now utilizing a Linux-based encryptor specifically designed to attack VMware ESXi environments in corporate settings. This ransomware-as-a-service (RaaS) operation has connections with ALPHV/BlackCat and Knight ransomware and has affected over 45 victims in 18 countries.
The discovery of both Windows and Linux encryptors for RansomHub was confirmed in early May. Recently, the group also developed an ESXi-specific variant, first observed in April 2024. Unlike the Windows and Linux encryptors written in Go, the ESXi version is a C++ program, likely evolving from the now-defunct Knight ransomware.
Interestingly, there is a bug in the ESXi version that defenders can exploit to cause the ransomware to enter an endless loop, preventing it from encrypting files.
Virtual machines (VMs) are increasingly used by enterprises to host servers due to their efficient management of CPU, memory, and storage resources. As a result, many ransomware groups have developed encryptors targeting VMware ESXi servers. RansomHub is among these, with its ESXi encryptor offering various command-line options to set execution delays, exclude specific VMs from encryption, target particular directory paths, and more.
Additionally, the encryptor disables syslog and other critical services to impede logging and can delete itself after execution to avoid detection and analysis. It employs ChaCha20 encryption with Curve25519 for key generation and partially encrypts ESXi-related files (such as ‘.vmdk,’ ‘.vmx,’ ‘.vmsn’) to enhance performance. Specifically, it encrypts only the first megabyte of files larger than 1MB, with encryption blocks recurring every 11MB. A 113-byte footer containing the victim’s public key, ChaCha20 nonce, and chunk count is added to each encrypted file.
To prevent ransomware attacks like RansomHub targeting VMware ESXi environments, organizations should implement robust security measures such as regular software updates, comprehensive backups, and network segmentation. Additionally, monitoring for unusual activity and promptly applying security patches can help mitigate vulnerabilities. Implementing endpoint detection and response (EDR) solutions also critical steps to protect your organizations.