REvil ransomware operators are active again and this time they are targeting Vmware ESXi virtual machines. This is the first known occurrence when the Linux variant is publicly available.

The new REvil Linux variant is an ELF64 executable that includes the same configuration options used by the more common Windows executable.

When executed on a ESXi server, an attacker behind this new Linux variant can pre-define the path to encrypt and enable a silent mode. It runs an esxcli command-line tool to show all running ESXi virtual machines. 

The esxcli command is used to close the VMDK files stored in the /vmfs/ folder. The main reason behind the closing of VMDK files stored in the /vmfs/ folder is that the REvil ransomware malware can encrypt the targeted files without them getting locked by ESXi.

Other ransomware opting for Linux variant

Other ransomware operations, such as RansomExx/Defray, Babuk, GoGoogle, DarkSide, Hellokitty, and Mespinoza, have also developed Linux encryptors to target ESXi virtual machines.

Threat actors were found actively scanning for internet-exposed VMware ESXi machines unpatched against critical vulnerabilities CVE-2019-5544 and CVE-2020-3992 impacting all vCenter deployments.

REvil can encrypt multiple servers with just a single command. Moreover, several ransomware groups are actively developing or have already created a Linux-based version to target virtual machines. Therefore, experts recommend installing VMware (ESXi) in high-security mode and implementing additional layers of security.