The newly discovered BlackMatter ransomware is evolving quickly to have a diversified victim list. As observed, BlackMatter now aims at VMware ESXi servers as well for its ransomware attacks.
BlackMatter Ransomware Targeting VMware ESXi
The BlackMatter ransomware recently caught attention after it emerged as the successor to the now-defunct REvil and DarkSide ransomware groups.
Although, neither REvil or Darkside, nor BlackMatter itself has precisely announced anything in this regard. However, as the researchers observed the new threat, they could connect DarkSide and BlackMatter. In fact, it appeared more of a rebranded version of the DarkSide ransomware.
Whatever the case is, the new ransomware is evolving quite rapidly to be distinct from the supposed predecessors.
Recently, the MalwareHunterTeam found a new Linux encryptor in the wild, simply dubbed as “Linux.Encryptor”.
Another Linux ransomware sample that is using esxcli: 6a7b7147fea63d77368c73cef205eb75d16ef209a246b05698358a28fd16e502
File is simply named "Linux.Encryptor"…
cc @VK_Intel @demonslay335 pic.twitter.com/0kgP3vCj32— MalwareHunterTeam (@malwrhunterteam) August 4, 2021
Later, security researcher Vitali Kremez could confirm it as the variant of BlackMatter ransomware specifically targeting VMware ESXi servers.
2021-08-05: ??Introducing #BlackMatter #Ransomware x64 Linux Variant | esxcli variant |
usual BlackMatter struct ➡️ “bot_id” | “bot_company”1⃣Custom C Methods:
///
esxi_utils
files_proc
file_encrypter
setup_impl
web_reporter
///
2⃣Encryption Mode | dark/white/min-size https://t.co/kUQvw5FAJv pic.twitter.com/tCiRHeuBsv— Vitali Kremez (@VK_Intel) August 5, 2021
According to Bleeping Computer, the new threat creates “esxi_utils” library to perform various activities on the target servers. The malware would use the command-line management tool to execute different commands via different functions.
It would also attempt to shut down virtual machines when targeting ESXi servers. This is common to all ransomware aiming at ESXi servers as it helps in encrypting multiple servers with a single command.
Hence, the threat now becomes even more dangerous for the corporate sector that frequently relies on ESXi servers.
Before this one, the RansomEXX ransomware has also acquired the capability to target Linux machines. With such a broad capacity, the attackers conducted several high-profile attacks globally.
As for BlackMatter, it already has listed a few names on its victim list soon after appearing online.
Yet, the threat actors would presumably remain selective in targeting their victims. They have already mentioned a precise exemption list for the sectors that they won’t attack. Thus, targeting ESXi servers hints at the threat actors’ typical aim at the business sector.
