Linux Ransomware “Black Basta” Targets VMware ESXi Servers
Black Basta is the latest ransomware group to add support for encrypting VMware ESXi virtual machines (VMs) running on enterprise Linux servers.
Most ransomware groups focus their attacks on ESXi virtual machines, making this tactic consistent with an enterprise target. It is also possible to rapidly encrypt multiple servers with a single command.
Encryption of virtual machines makes sense because many companies have moved to virtual machines in recent years, making device management easier and resource usage much more efficient.
Another Ransomware Group Targets ESXi Servers
Analysts at Uptycs Threat Research revealed in a new report that they have discovered a new Black Basta ransomware binary specifically targeting VMWare ESXi servers.
Linux ransomware encryption tools are not new, and BleepingComputer has found several other gangs such as LockBit, HelloKitty, BlackMatter, REvil, AvosLocker, RansomEXX, Hive We have reported on similar encryption tools released
Like other Linux encryption software, the Black Basta ransomware binary searches the /vmfs/ volume where virtual machines on infected ESXi servers are stored (if no such folder is found, the ransomware terminates).
BleepingComputer cannot find command line arguments that target other paths for encryption, suggesting that this encryptor is specifically designed to target only ESXi servers.
The ransomware encrypts files using the ChaCha20 algorithm. It also uses multi-threading to speed up the encryption process by using multiple processors.
During encryption, the ransomware appends the extension .basta to the names of encrypted files and creates a ransom note named readme.txt in each folder.
The note contains a link to a chat support panel and a unique ID that the victim can use to communicate with the attacker.
“Black Basta was first identified in April of this year, and its variants targeted Windows systems,” said Siddharth Sharma and Nischay Hegde of Uptcys.
“Based on the chat support links and encrypted file extensions, we believe the actor behind this campaign is the same one that previously targeted Windows systems with the Black Basta ransomware.”
Active since April
Black Basta ransomware was first discovered in the wild during the second week of April, quickly intensifying attacks targeting businesses worldwide.
While the ransom demands of this gang are likely to vary from victim to victim, BleepingComputer knows of at least one victim who has been asked for more than $2 million to avoid the decryptor and the online exfiltration of their data.
Not much else is known about this new ransomware gang, but their ability to quickly infiltrate new victims and their negotiating style suggest that this is not a new activity, but rather a rebrand (possibly a rebrand of the Conti ransomware activity)
Fabian Wosar, CTO of Emsisoft, previously told BleepingComputer that other Ransomware gangs (other than the one reported here) have also developed and use their own Linux encryption tools, he said.”Most ransomware groups have implemented Linux-based versions because they specifically target ESXi,” Wosar explains.
Mitigating the risk of online fraud in today’s rapidly evolving cyber-security landscape needs a m Mitigating the danger of online fraud in today’s rapidly evolving cyber-security landscape demands a multi-layered approach that encompasses a variety of tactics. Businesses can protect themselves against cybercrime by implementing appropriate virtual server backup solutions and avoiding spending more on coffee than on IT security. You do, in fact, need to understand how to backup a VMware virtual machine. Multiple techniques are used in a multi-layered strategy. Businesses can protect themselves against cybercrime by implementing appropriate preventative measures and avoiding spending more on coffee than on IT security. You do, in fact, need to understand how to choose a Hyper-V backup software.