Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Crime Security Linux

New Linux Version of Ransomware Targets VMware ESXi (bleepingcomputer.com) 23

"Researchers observed a new Linux variant of the TargetCompany ransomware family that targets VMware ESXi environments," reports BleepingComputer: In a report Wednesday, cybersecurity company Trend Micro says that the new Linux variant for TargetCompany ransomware makes sure that it has administrative privileges before continuing the malicious routine... Once on the target system, the payload checks if it runs in a VMware ESXi environment by executing the 'uname' command and looking for 'vmkernel.' Next, a "TargetInfo.txt" file is created and sent to the command and control (C2) server. It contains victim information such as hostname, IP address, OS details, logged-in users and privileges, unique identifiers, and details about the encrypted files and directories. The ransomware will encrypt files that have VM-related extensions (vmdk, vmem, vswp, vmx, vmsn, nvram), appending the ".locked" extension to the resulting files.

Finally, a ransom note named "HOW TO DECRYPT.txt" is dropped, containing instructions for the victim on how to pay the ransom and retrieve a valid decryption key.
"After all tasks have been completed, the shell script deletes the payload using the 'rm -f x' command so all traces that can be used in post-incident investigations are wiped from impacted machines."

Thanks to long-time Slashdot reader joshuark for sharing the article.
This discussion has been archived. No new comments can be posted.

New Linux Version of Ransomware Targets VMware ESXi

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Saturday June 08, 2024 @05:05PM (#64534121)

    how often are people sshing into an ESXI box?
    Does this run on other systems to scan the network?

    • by NFN_NLN ( 633283 )

      You're supposed to disable SSH access unless/until you actually need it for troubleshooting:
      https://docs.vmware.com/en/VMw... [vmware.com]

      • by gweihir ( 88907 ) on Saturday June 08, 2024 @06:03PM (#64534213)

        Actually, you are supposed to use dedicated, hardened, low-attack-surface systems for any admin logins to servers. Some people find that too much effort though and hence get hit.

        • Actually, you are supposed to use dedicated, hardened, low-attack-surface systems for any admin logins to servers. Some people find that too much effort though and hence get hit.

          This. Ideally admins should be authenticating approved accounts and machines to a dedicated admin VLAN. Separating the admin broadcast segment from the user LAN, limits the attack surface further. No sense in allowing an attacker to even sniff for admin-related chatter, whether they have an employee badge or not.

          • by gweihir ( 88907 )

            Indeed. But too many IT security "experts" are clueless and too many organizations try to cheap-ass IT security.

    • by Anonymous Coward

      how often are people sshing into an ESXI box?

      The ssh interface is used by many backup solutions as you can iterate vms on that host, manage snapshots, and scp them out as flattened full disk images, all in one fell swoop.

      There also used to be centralized vm management systems that could manage esxi over ssh, for people with the free version without vsphere.

  • by Going_Digital ( 1485615 ) on Saturday June 08, 2024 @05:14PM (#64534133)
    This new ransomware has the name Broadcom.
  • by Anonymous Coward on Saturday June 08, 2024 @05:31PM (#64534167)
    I am running Windows 11 and so this malware can not touch me.
  • by Mirnotoriety ( 10462951 ) on Saturday June 08, 2024 @05:35PM (#64534171)
    “Trend Micro says that the new Linux variant for TargetCompany ransomware makes sure that it has administrative privileges [bleepingcomputer.com] before continuing the malicious routine.”

    Do they mean the malware can't achieve root on its own.

    How is this custom script malware loaded and executed on the target?
    • by gweihir ( 88907 ) on Saturday June 08, 2024 @06:04PM (#64534215)

      This is just the ransomware part. The way to get root on the target is left to other tools.

      • > This is just the ransomware part. The way to get root on the target is left to other tools.

        A total non-story then /s
        • by gweihir ( 88907 )

          Not completely. It still shows that apparently getting into Linux installations is easy enough these days that creating the tool from the story makes sense. Probably too many Windows "admins" responsible for Linux servers these days....

          • > .. apparently getting into Linux installations is easy enough these days ..

            Provide a link to malware that installs itself as root without user action.
            • by gweihir ( 88907 )

              Why should I? I have not made any claims as to how attackers get into Linux installations. I just claimed that apparently getting into Linux installations is easy enough to justify the effort of creating the tool from the story, which represents a significant effort. Obviously, with competent system administration, it is still _not_ easy to get into Linux (unlike Windows, where you have to go to extreme measures to secure a system), but it looks very much like competent system administration is not done in

  • ...I'd argue VMware _IS_ the ramsomware.

  • Once on the target system, the payload checks if it runs in a VMware ESXi environment by executing the 'uname' command and looking for 'vmkernel.'

    Oh, if only there was a way to stop this type of attack? Perhaps, if end users could modify the uname command results to not include the text vmkernel?

    • by Jeremi ( 14640 ) on Sunday June 09, 2024 @08:13AM (#64535241) Homepage

      Perhaps, if end users could modify the uname command results to not include the text vmkernel?

      If you execute a malware script with root privileges, the wording of the text returned by uname is the least of your worries. Sure, you might fool this particular version of this particular malware by altering that, but the next version of the malware would simply check using some other technique, and would still have access to encrypt all of your files.

  • No offense to JOSHUARK (he's had a lot of good contributions) but if your profile ID resembles a telephone number, you're maybe not such a long-time Slashdot reader...

    joshuark (6549270) [slashdot.org]

    • by kenh ( 9056 )

      Sorry, meant to include this line from TFS:

      Thanks to long-time Slashdot reader joshuark for sharing the article

    • by KlomDark ( 6370 )
      Yeah, punk? Look how high your number is... Newb! :)
    • Y'all have user IDs like P.O. Box numbers.

      Send $9.95 plus shipping and handling to receive your first shipment of Bacons of the World. These highly collectible preserved meats will provide endless hours of enjoyment for you and your family. And if you act now, we will include a FREE bacon press and bacon bag.

Someday somebody has got to decide whether the typewriter is the machine, or the person who operates it.

Working...