SpearTip | July 27th, 2021

HelloKitty ransomware operators are now targeting VMware ESXi servers using a Linux variant.

VMware has catered to virtual machines for better backup and resource management. Ransomware operators are always involved with the latest updates and trends in the industry in order to better accomplish their attacks.

The VMware ESXi platform is one of the most widely used virtual machine platforms among enterprise businesses. EXSi is not directly connected to Linux, but what makes it such a prime target for ransomware operators is its ability to run ELF64 Linux executables.

@MalwareHunterTeam on twitter discovered the Linux ELF64 HelloKitty ransomware running on ESXi servers and the virtual machines on the servers. Through shared samples, strings show the EXSi servers being referenced as the ransomware tries to shut off any virtual machines.

Some threat groups will attempt to shut down virtual machines before encrypting files to keep the files and avoid data being corrupted.

Further inspection shows the ransomware commands shutting down the virtual machines a three-step process to cover all machines still running.

esxcli vm process kill -t=soft -w=%d

esxcli vm process kill -t=hard -w=%d

esxcli vm process kill -t=force -w=%d

After these commands have run and machines are shut down, the ransomware then begins the encryption process by encrypting file extensions .vmdk, .vmsd, and .vmsn. This allows the operators to encrypt virtual machines with one command.

HelloKitty ransomware is also known as DeathRansom or Fivehands.

SpearTip’s Security Operations Center as a Service (SOCaaS) provides a complete suite of security structure for your company. It can provide instant value at a time where threat actors are improving creativity and implementing new tactics in order to penetrate networks of enterprise businesses. Our fully staffed, 24/7/365 SOC enables your organization to have eyes of trained professionals continuously monitoring your network for threats.

Working in tandem with our SOC is our internally developed ShadowSpear platform. The ShadowSpear platform detects and notifies our certified engineers of potential threats. It can also block malicious ransomware executables, such as the HelloKitty ransomware, from running on your machines which is crucial to preventing encryption and protecting your team’s most critical asset, data.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.