The Week in Ransomware – August 4th 2023 – Targeting VMware ESXi

The Week in Ransomware – August 4th 2023 – Targeting VMware ESXi

Ransomware groups persist in their focus on targeting VMware ESXi servers, with nearly every active ransomware gang now developing custom Linux encryptors tailored for this purpose. This week, BleepingComputer conducted an analysis of the Linux encryptor used by Abyss Locker, highlighting its specific design for encrypting ESXi virtual machines.

Several other ransomware operations have also crafted ESXi encryptors, including Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, HelloKitty, RansomEXX, and Hive.

Furthermore, the cybersecurity landscape saw a substantial release of research this week, including reports on the impact of ransomware on industrial organizations and critical infrastructure. A study delved into the role of cyber insurance in mitigating ransomware threats. KELA issued three reports on Qilin, the new Knight 2.0 Ransomware-as-a-Service (RaaS), and Akira. Additionally, a tool was introduced to exploit DLL hijacking vulnerabilities in ransomware to prevent encryption.


In the realm of ransomware and extortion attacks, EY and Serco have issued data breach notifications in response to the Clop MOVEit attacks. A ransomware attack on the parent company of Prospect Medical Holdings affected hospitals under its purview, though the responsible gang remains unidentified. Lastly, Argentina’s Comprehensive Medical Care Program (PAMI) fell victim to a ransomware attack that disrupted its operations.

Contributors and those who provided new ransomware information and stories this week include: @billtoulas@Seifreed@malwrhunterteam@demonslay335@serghei@malwareforme@LawrenceAbrams@BleepinComputer@Ionut_Ilascu@Fortinet@malvuln@Intel_by_KELA@DragosInc@MrJamesSullivan@pcrisk, and @juanbrodersen.

July 29th 2023

  • The Abyss Locker ransomware operation has joined the ranks of those targeting enterprise environments by developing a Linux encryptor specifically designed to attack VMware’s ESXi virtual machines platform.
  • A new anti-ransomware tool named RansomLord has been introduced by security researcher Malvuln. This tool exploits DLL hijacking vulnerabilities present in ransomware encryptors to terminate the processes responsible for encryption before it commences. While not offering a 100% guarantee of success, users interested in this tool are encouraged to read its accompanying readme for further details.
  • In the analysis of industrial ransomware attacks for the second quarter of 2023, it becomes evident that this period witnessed an exceptional level of activity by ransomware groups. These groups increasingly posed substantial threats to industrial organizations and critical infrastructure. The surge in ransomware attacks targeting industrial entities underscores the rapid expansion of ransomware ecosystems and the adoption of diverse tactics, techniques, and procedures (TTPs) by these groups to achieve their objectives. During Q2, Dragos observed that out of the 66 monitored groups, 33 continued to impact industrial organizations. These groups relied on previously successful tactics, including exploiting zero-day vulnerabilities, utilizing social engineering, targeting publicly accessible services, and compromising IT service providers.
  • A new variant of the Dharma ransomware, discovered by PCrisk, appends the .Z0V extension to encrypted files and drops a ransom note named Z0V.txt.
  • PCrisk has also identified new variants of the STOP ransomware, marked by file extensions .pouu and .poaz, respectively.

August 1st 2023

Akira Ransomware Gang Evades Decryptor, Exploiting Victims Uninterruptedly

Despite the decryptor for the Akira ransomware that was released at the end of June 2023, the group still seems to successfully extort victims. In July, we observed 15 new victims of the group, either publicly disclosed or detected by KELA in the course of their negotiations.


Cyclops Ransomware Gang Unveils Knight 2.0 RaaS Operation: Partner-Friendly and Expanding Targets

The Cyclops ransomware gang has launched a 2.0 version of its RaaS operation named Knight. On July 26, the gang announced on their blog they were “releasing the new panel and program this week”, likely referring to updates to both their ransomware strain and their affiliates’ panel. Recently, Cyclops announced they “upgraded” the operation and called for new affiliates to join the group. A thread advertising Cyclops’ RaaS has been renamed to “[RaaS]Knight”.

Qilin Ransomware Gang Adopts Uncommon Payment System: All Ransom Payments Funneled through Affiliates

In July, KELA observed that actors behind Qilin (Agenda) RaaS program have announced that ransom payments are paid only to their affiliates’ wallets. Apparently, only then a share of profits is transferred to the Qilin RaaS owners. This approach is less common for RaaS programs: usually victims are paying ransom to wallets controlled by RaaS developers/managers, and only then affiliates receive their share of ransom. The “opposite” approach, now adopted by Qilin, is known to be used by LockBit.

New Xorist ransomware variant

PCrisk found new Xorist ransomware variant that appends the .rtg.


New STOP ransomware variant

PCrisk found new Xorist ransomware variant that appends the .popn and drops a ransom note named _readme.txt.

August 2nd 2023

The PAMI confirmed a ransomware cyberattack: it took down the site, but they assure that “it was mitigated”

The Comprehensive Medical Care Program ( PAMI ) suffered a ransomware cyberattack , a type of virus that encrypts files to demand a ransom in exchange. Official sources confirmed to Clarín that this type of cyberattack was involved and that they are investigating where the intrusion came from. Shifts are maintained and medicines can be bought normally in pharmacies, they assured.

August 3rd 2023

  • Serco Inc., the Americas division of the multinational outsourcing company Serco Group, has disclosed a data breach. The breach occurred after attackers successfully stole the personal information of more than 10,000 individuals from a MoveIT managed file transfer (MFT) server belonging to a third-party vendor.
  • This edition of the Ransomware Roundup provides coverage of the DoDo and Proton ransomware.
  • EY, following an investigation, has issued data breach notifications related to the MOVEit tool. It is believed that an unauthorized entity gained access to certain files transferred via MOVEit, including files containing personal data of three residents in Maine. Subsequently, EY Law conducted a thorough analysis of the affected files to identify affected individuals, confirm their identities, and gather their contact information.
  • PCrisk has identified a new variant of the Phobos ransomware that appends the .G-STARS extension to encrypted files.
  • PCrisk has also detected the emergence of a new ransomware strain known as TrashPanda. This ransomware appends the .monochromebear extension to encrypted files and delivers a ransom note named [random_string]-readme.html.
  • Additionally, a new python ransomware variant called CryBaby has been discovered by PCrisk. This ransomware appends the .lockedbycrybaby extension to encrypted files.

Attention: CLICK HERE to follow our facebook page


Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like