Chris Swagler | June 18th, 2022

A new ransomware strain, Black Basta, is actively targeting VMware ESXi virtual machines running on enterprise Linux servers, encrypting files inside volume folders. The ransomware group emerged initially exclusively targeting Windows-based systems, but is now after VMware virtual machines (VMs). Numerous ransomware groups have focused their attacks on ESXi VMs since the tactic matches with their enterprise targeting. Additionally, it allows ransomware groups to use a single command to perform faster encryption on multiple servers. Since numerous companies have transitioned to virtual machines, encrypting VMs makes sense because they allow easier device management and more effective resource usage.

Threat research analysts recently discovered new Black Basta ransomware binaries that specifically target VMware ESXi servers. Linux ransomware encryptors aren’t anything new and similar encryptors were released by numerous other groups, including LockBit, HelloKitty, REvil, Cheerscrypt, and Hive. The Black Basta ransomware variant searches for the volumes folder (/vmfs/volumes) to encrypt virtual machines on compromised ESXi-based systems and servers. Researchers were unable to identify command-line arguments targeting other paths for encryption, indicating that the encryptor is only designed to target only ESXi servers. According to the analysts, it encrypts files using the ChaCha20 algorithm and multi-threading for encryption using numerous processors making it faster and harder to detect. Because the resources on the servers are far greater than on a normal system, using these mechanisms allows ransomware to encrypt files much faster.

During the encryption process, the ransomware will append the “.basta” extension to the encrypted files’ names and create “readme.txt” ransom notes in each folder. A link to the chat support panel is included in the notes, along with a unique ID that victims can use to contact the threat actors.

The Black Basta ransomware group was discovered during the month of April, its variants targeting Windows systems. The threat actors behind the campaign targeted Windows systems based on the chat support link and encrypted file extension. Most companies that have private clouds based on VMware ESXi hosts or use ESXi hosts to store data and other operational duties must monitor mechanisms on sensitive folders and data present inside the systems and servers. An onion link to the threat operator’s chat panel was discovered to be the same as the previous versions of the Black Basta ransomware binaries that targeted Windows systems.

The group’s ransom demands varied between victims, one victim received an over $2 million ransom demand for a decryptor and to avoid having its data leaked online. It was discovered that Black Basta has partnered with the Qbot (aka Qakbot) malware family that steals bank credentials, Windows domain credentials, and deploys malware on infected systems. The Black Basta group used Qbot to move laterally throughout the network during a recent incident response. Other Black Basta ransomware campaigns include gathering internal IP addresses of all hosts on networks, disabling Windows Defender, deleting Veeam backups from Hyper-V servers, and using WMI to deploy ransomware.

Even though Black Basta is a new ransomware group, it’s likely a rebranded group due to its ability to breach new victims and its negotiating style. The main reason why numerous ransomware groups use a Linux-based version of their ransomware is to specifically target ESXi. That’s why it’s important for companies to always remain vigilant of the current threat landscape and update their VMware ESXi virtual machines’ security measures. At SpearTip, our cyber maturity assessments assess the overall cyber maturity of companies’ insureds network configurations, security tools currently in use, security measures, companies’ preparedness, and capabilities. Our pre-breach advisory services allow our certified engineers to examine companies’ security posture to improve the weak points in networks. For any vulnerability we discover, our experts provide a technical roadmap to ensure that companies have the awareness and support to optimize their overall cyber security posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.