The newly discovered BlackMatter ransomware is evolving quickly to have a diversified victim list. As observed, BlackMatter now aims at VMware ESXi servers as well for its ransomware attacks.
BlackMatter Ransomware Targeting VMware ESXi
The BlackMatter ransomware recently caught attention after it emerged as the successor to the now-defunct REvil and DarkSide ransomware groups.
Although, neither REvil or Darkside, nor BlackMatter itself has precisely announced anything in this regard. However, as the researchers observed the new threat, they could connect DarkSide and BlackMatter. In fact, it appeared more of a rebranded version of the DarkSide ransomware.
Whatever the case is, the new ransomware is evolving quite rapidly to be distinct from the supposed predecessors.
Recently, the MalwareHunterTeam found a new Linux encryptor in the wild, simply dubbed as “Linux.Encryptor”.
Later, security researcher Vitali Kremez could confirm it as the variant of BlackMatter ransomware specifically targeting VMware ESXi servers.
According to Bleeping Computer, the new threat creates “esxi_utils” library to perform various activities on the target servers. The malware would use the command-line management tool to execute different commands via different functions.
It would also attempt to shut down virtual machines when targeting ESXi servers. This is common to all ransomware aiming at ESXi servers as it helps in encrypting multiple servers with a single command.
Hence, the threat now becomes even more dangerous for the corporate sector that frequently relies on ESXi servers.
Before this one, the RansomEXX ransomware has also acquired the capability to target Linux machines. With such a broad capacity, the attackers conducted several high-profile attacks globally.
As for BlackMatter, it already has listed a few names on its victim list soon after appearing online.
Yet, the threat actors would presumably remain selective in targeting their victims. They have already mentioned a precise exemption list for the sectors that they won’t attack. Thus, targeting ESXi servers hints at the threat actors’ typical aim at the business sector.