June 20, 2024 at 05:32PM
RansomHub ransomware has a Linux encryptor tailored for VMware ESXi environments. Launched in February 2024, RansomHub has affected over 45 victims across 18 countries. An ESXi variant was detected in April 2024, presenting a bug that defenders can exploit. Additionally, the encryptor has specific commands and a unique encryption scheme.
Based on the meeting notes, here are the key takeaways:
1. RansomHub ransomware operation is using a Linux encryptor designed specifically to encrypt VMware ESXi environments in corporate attacks.
2. RansomHub is a ransomware-as-a-service (RaaS) operation launched in February 2024 and has claimed over 45 victims across 18 countries.
3. Recorded Future reports that the threat group also has a specialized ESXi variant in its arsenal, which it first saw in April 2024.
4. An interesting bug has been found in the ESXi variant that defenders can leverage to send it to an endless loop and evade encryption.
5. The enterprise has adopted the use of virtual machines to host their servers, making them a target for ransomware attacks.
6. RansomHub’s ESXi encryptor has various command-line options for setting an execution delay, specifying which VMs should be excluded from encryption, what directory paths to target, and more.
7. The encryptor disables critical services to hinder logging and can be configured to delete itself after execution to avoid detection and analysis.
8. The encryption scheme uses ChaCha20 with Curve25519 for generating public and private keys and encrypts ESXi related files only partially for faster performance.
9. The ransom note is written to specific files to make it visible on login screens and web interfaces.
10. Organizations can create a specific file to put the RansomHub ESXi variant into an endless loop, effectively neutralizing it until the RaaS operators fix the bug and roll out updated versions.
These takeaways provide a clear understanding of the RansomHub ransomware operation and its specific targeting of VMware ESXi environments, as well as potential defensive measures against it.