The latest ransomware group, Black Basta, has added capabilities for encrypting VMware ESXi virtual machines (VMs) on enterprise Linux systems.
Because this technique matches with their enterprise targeting, most ransomware gangs are now focusing their attacks on ESXi VMs. It also allows you to use a single command to perform faster encryption on several servers.
Since many firms have lately transitioned to virtual machines, encrypting VMs makes sense because they allow for easier device control and more effective resource usage.
Another ransomware organization is attempting to extort money from ESXi servers.
Uptycs Threat Research analysts stated in a new report that they discovered new Black Basta ransomware files that target VMWare ESXi hosts.
Linux ransomware encryptors are nothing new, and BleepingComputer has previously covered similar encryptors released by LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, and Hive, among others.
Black Basta’s ransomware program, like other Linux encryptors, will look for the /vmfs/volumes where the virtual machines are stored on the infected ESXi hosts (if no such folders are found, the ransomware exits).
BleepingComputer was unable to identify command-line parameters that would allow this encryptor to target additional pathways for encryption, implying that it is only designed to target ESXi servers.
The ChaCha20 algorithm is used to encrypt the data by the ransomware. It also employs multithreading to make use of many processors and accelerate the encryption operation.
The ransomware will append the.basta extension to the encrypted files’ names and construct readme.txt ransom notes in each folder while encrypting.
A link to the chat support panel is included in the remarks, as well as a unique ID that victims can use to contact with the attackers.
“The Black Basta initially appeared this year in April, when its variations targeted Windows PCs,” stated Uptcys’ Siddharth Sharma and Nischay Hegde.
“We suspect the actors behind this attack are the same who targeted Windows PCs before with the Black Basta ransomware, based on the chat assistance URL and encrypted file extension.”
Black Basta ransomware has been active since April, when it was first discovered in the wild in the second week of April, as the operation aggressively scaled up its attacks against businesses all over the world.
Despite the fact that the gang’s ransom demands are likely to vary depending on the victim, BleepingComputer knows of at least one who received a demand for more than $2 million for a decryptor and to avoid having its data released online.
While nothing is known about the new ransomware group, based to their shown capacity to quickly breach new victims and their bargaining approach, this is most likely not a new operation but rather a rebrand (possibly a rebrand of the Conti ransomware operation).
Other ransomware gangs (besides the ones we reported on), such as Babuk, RansomExx/Defray, Mespinoza, GoGoogle, Snatch, PureLocker, and DarkSide, have built and employed their own Linux encryptors, according to Emsisoft CTO Fabian Wosar.
“Most ransomware gangs create a Linux-based version of their ransomware to especially target ESXi,” Wosar added.
