Blog Detail

Hackers often attack ESXi systems, as ESXi is widely used in enterprise environments to manage virtualized infrastructure, **therefore** making ESXi a lucrative target.

Moreover, threat actors can exploit security flaws in ESXi to deploy ransomware and perform other malicious activities, significantly increasing the impact on organizations affected by ESXi attacks.

In fact, Recorded Future recently discovered that a new Linux variant of RansomHub has been actively attacking ESXi systems.

 

RansomHub Attacking ESXi Systems

RansomHub is a RaaS platform that began operating in February 2024; notably, it attacks various operating systems with malware written in Go and C++.

 

Attracting Experienced Affiliates

This pays a 90% commission, which attracts experienced affiliates, generating 45 victims from IT departments in 18 countries.

Additionally, there are some similarities between the ransomware and the ALPHV and Knight Ransomware codes, indicating possible connections.

As a result, organizations should consider immediate and long-term security measures to contain this emerging threat.

 

A Growing Threat in Multi-OS Environments

In February 2024, “koley” presented at the Ramp forum a new ransomware platform called RansomHub that features Go and C++ malware with many features targeting Windows, Linux, and ESXi systems.

This development is typical of multi-OS environments and shows how cross-platform attacks increased sevenfold between 2022 and 2023, which consequently incredibly expanded the number of victims.

 

High Commissions and Strategic Attacks

RansomHub’s high 90% commission rate attracts experienced affiliates, resulting in rapid growth. Consequently, it has affected 45 victims in 18 countries, focusing mainly on the IT industry.

In other words, this means a “big game” approach, targeting high-value victims who are likely to pay large ransoms due to costly operational downtime.

 

Exploiting Trust to Increase Extortion

Furthermore, by leveraging misconfigured Amazon S3 instances, RansomHub affiliates performed backups for several customers. They then used threats to those backup providers in an extortion scheme aimed at inducing them to buy the data.

The strategy capitalizes on the bonds of trust between provider and customer. For example, they recently became known for selling 4 TB of stolen data obtained from Change Healthcare, a U.S.-based healthcare technology company.

 

Connections to Other Ransomware Groups

Interestingly, Insikt Group claimed that RansomHub is closely related to ALPHV (BlackCat) and Knight Ransomware due to certain code similarities. Specifically, RansomHub uses password settings of encrypted files to avoid scanning.

 

Mitigation Strategies

A possible mitigation strategy is to alter this file to stop it from working by modifying /tmp/app.pid performed by the ESXi version of the ransomware, as it only allows one instance of the ransomware.

Below, we mention all the mitigations:

• Segment network to limit lateral movement.
• Use SIEM for centralized logging and detection.
• Implement EDR with YARA/Sigma rules.
• Enforce least privilege and MFA for remote access.
• Periodic offline and isolated data backups.
• Perform consistent system audits.
• Keep all systems patched and up to date.
• Use YARA, Sigma and Snort rules for malware detection.