Ransomware Desires VMware Hypervisors in Ongoing Campaign

  /     /     /  
Publicated : 23/11/2024   Category : security


Ransomware Desires VMware Hypervisors in Ongoing Campaign


A Babuk variant has been involved in at least four attacks on VMware EXSi servers in the last six weeks, in one case demanding $140 million from a Chilean data center company.



What appears to be a fresh variant of the Babuk ransomware has emerged to attack VMware ESXi servers in several countries, including a confirmed hit on IxMetro PowerHost, a Chilean data center hosting company. The variant calls itself SEXi, a play on its target platform of choice.
According to CronUp cybersecurity researcher
Germán Fernández
, PowerHost CEO Ricardo Rubem issued a statement confirming that a new ransomware variant had locked up the companys servers using the .SEXi file extension, with the initial access vector to the internal network as yet unknown. The attackers requested $140 million in ransom, which Rubem indicated would not be paid.
SEXis emergence stands at the crossroads of two major ransomware trends: the rash of threat actors who have
developed malware based on the Babuk source code
; and a lust for compromising tantalizingly juicy VMware EXSi servers.
Meanwhile, Will Thomas, CTI researcher at Equinix, uncovered what he believes to be a binary related to that used in the attack, dubbed LIMPOPOx32.bin and tagged as a Linux version of Babuk in VirusTotal. At press time,
that malware has a 53% detection rate
on VT, with 34 out of 64 security vendors flagging it as malicious since it was first uploaded on Feb. 8. MalwareHunterTeam
spotted it
back on Valentines Day, when it was being used without the SEXi handle in an attack on an entity in Thailand.
But Thomas further discovered other, related binaries. As he
tweeted
, SEXi ransomware attack on IXMETRO POWERHOST linked to broader campaign that has hit at least three Latin American countries. These call themselves Socotra (used in an attack in Chile on March 23); Limpopo again (used in an attack in Peru on Feb. 9); and Formosa (used in an attack in Mexico on Feb. 26). Concerningly, at press time all three registered zero detections in VT.
Together, the findings showcase the development of a novel campaign using various SEXi iterations that all lead back to Babuk.
Theres no indication of where the malware operators originate from or what their intentions are. But slowly a set of tactics, techniques, and procedures are emerging. For one, the binaries nomenclature comes from place names. Limpopo is the northernmost province of South Africa; Socotra is a Yemeni island in the Indian Ocean; and Formosa was a short-lived republic located on Taiwan in the late 1800s, after Chinas Qing Dynasty ceded its rule over the island.
And, as MalwareHunterTeam pointed out on X, maybe interesting / worth to mention about this SEXi ransomware that the communication method specified by the actors in the note is Session. While we[ve] seen some actors using it even years ago already, I [dont] remember seeing it in relation to any big/serious cases/actors.
Session is a cross-platform, end-to-end encrypted instant messaging application emphasizing user confidentiality and anonymity. The ransom note in the IX PowerHost attack urged the company to download the app and then send a message with the code SEXi; the earlier note in the Thai attack urged the Session download but to include the code Limpopo.
VMwares EXSi hypervisor platform runs on Linux and Linux-like OS, and can host multiple, data-rich virtual machines (VMs). It has been a
popular target for ransomware actors
for years now, partly because of the size of the attack surface: There are tens of thousands of ESXi servers exposed to the Internet, according to a Shodan search, with most of them running older versions. And that doesnt take into account those that are reachable after an initial access breach of a corporate network.
Also contributing to
ransomware gangs growing interest in EXSi
, the platform doesnt support any third-party security tooling.
Unmanaged devices such as ESXi servers are a great target for ransomware threat actors, according to a report from
Forescout
released last year. Thats because of the valuable data on these servers, a growing number of
exploited vulnerabilities affecting them
, their frequent Internet exposure and the difficulty of implementing security measures, such as endpoint detection and response (EDR), on these devices. ESXi is a high-yielding target for attackers since it hosts several VMs, allowing attackers to deploy malware once and encrypt numerous servers with a single command.
VMware has a
guide for securing EXSi
environments. Specific suggestions include: Make sure ESXi software is patched and up-to-date; harden passwords; remove servers from the Internet; monitor for abnormal activities on network traffic and on ESXi servers; and ensure there are backups of the VMs outside the ESXi environment to enable recovery.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ransomware Desires VMware Hypervisors in Ongoing Campaign