VMware ESXi is apparently gaining popularity among cyber attackers. Several prominent malware operators, mostly ransomware gangs, have started targeting VMware’s hypervisor solution used by a large number of enterprises. The HelloKitty gang has been observed attacking VMware ESXi servers.
HelloKitty, the notorious ransomware gang that gained popularity after targeting the Polish gaming firm CD Projekt, has joined the growing list of ransomware operators targeting VMware ESXi.
Researchers have identified several Linux ELF64 versions of the HelloKitty ransomware, which are designed to target VMware’s ESXi virtual machine platform.
The malware is using esxcli, ESXi’s command-line management tool, to explore the machines and consequently, target them. It attempts to shut down the machines before attempting to encrypt them. This method enables attackers to encrypt several machines using a single command.
The files targeted by HelloKitty include .vmdk (virtual hard disk), .vmsd (metadata and snapshot information), and .vmsn (contains the active state of the VM) files.
VMware ESXi servers are commonly used by enterprises to host a large number of machines. By targeting virtual machines, attackers can encrypt multiple victims with minimal effort. Therefore, it is recommended that organizations using these servers should implement high-security mode with multiple layers of security.