Linux version of Qilin ransomware focuses on VMware ESXi

Linux version of Qilin ransomware focuses on VMware ESXi

December 3, 2023 at 04:11PM

Security researchers discovered an advanced Linux encryptor made by the Qilin ransomware gang targeting VMware ESXi servers. This customizable encryptor focuses on virtual machine encryption and snapshot deletion while offering a wide range of command-line options for operational flexibility. Qilin, which emerged from the “Agenda” operation, conducts double-extortion attacks and has been increasingly active, recently targeting Yanfeng. Ransom demands vary from thousands to millions of dollars.

**Meeting Summary: Qilin Ransomware Analysis**

1. **Threat Details:**
– Qilin ransomware gang’s encryptor for VMware ESXi found; considered highly advanced and customizable for Linux servers.
– Adoption of virtual machines in enterprises targeted by ransomware gangs, including Qilin, using custom encryptors.

2. **Technical Analysis:**
– Security researcher MalwareHunterTeam discovered a versatile Linux ELF64 encryptor specific to Qilin and shared it for analysis.
– The encryptor offers extensive command-line options allowing for deep customization, including debug modes, dry runs, and file targeting specs.
– Default configurations include exclusions for certain processes, directories, files, and extensions, while specifying directories and files to target.
– Virtual machines’ specifics can be configured to be exempt from encryption.

3. **Operational Capabilities:**
– Requires a starting directory and a password to initiate encryption.
– Recognizes the server environment (Linux, FreeBSD, or VMware ESXi) to use specific commands.
– For VMware ESXi, uses modified commands to potentially exploit a memory heap exhaustion bug and enhance encryption performance.
– Before encryption, the malware terminates all VMs and deletes their snapshots with specific commands.

4. **Ransom Demands and Note:**
– Generates a ransom note in each folder post-encryption, with demands ranging from $25,000 to millions and links to contact the gang for negotiations.

5. **Background and Behavioral Pattern:**
– Qilin, originally named “Agenda,” began operations in August 2022, rebranding in September.
– Follows a pattern of network breach, data theft, lateral spread, server credentials acquisition, and finally, deployment of ransomware for double-extortion attacks.
– Notable victim highlighted: auto-parts giant Yanfeng, demonstrating Qilin’s active and ongoing threats towards the end of 2023.

The takeaways from this meeting revolve around understanding the technical aspects and operational approach of the Qilin ransomware, its tactical adaptations against virtualized server environments, and the significant risk it poses to enterprises due to its advanced and highly customizable encryptor. Security teams should be on high alert for such threats and adopt appropriate defensive measures.

Please let me know if a more detailed report or specific actions are required based on this analysis.

Full Article