In recent times Trend Micro Research unrevealed that the DarkSide ransomware is targeting organizations in manufacturing, finance, and critical infrastructures in regions such as the United States, France, Belgium, and Canada.
The Behaviour of the Linux Variant that Targets VMware ESXI Servers
The DarkSide ransomware has a Linux variant to infect more machines and cause more damage to the victim network. Still, this variant is quite specific, as its main configuration targets VM-related files on VMware ESXI servers.
The configuration of the Linux variant specifies features, such as the extension for encrypted files, C&C URL, number of threads, and a constraint on the minimum size of the target files to be encrypted.
The ransomware executable can accept parameters to infect more files and change its default settings. DarkSide runs several ESXCLI commands (such as the command-line interface framework in vSphere) to collect information about the infected ESXI host, such as the running virtual machinesVMs, storage-related information, and vSAN- related information.
The Ransomware performs a file size check before encryption and malware then opens the target file, reads the content based on the part and space size given in the configuration or the parameters, encrypts them, and writes to the file.
The analysis says that “the Linux variant drops a ransom note on the victim machine and adds a new file extension to the encrypted files and the malware does not add any ID at the end of it. Subsequently, it collects system information on the victim machine, such as hostname, domain, and disk information”.
The research says that the DarkSide ransomware family targets both Windows and Linux platforms and there are similarities between the Linux and Windows variants, but they are different concerning some features, such as encryption mechanism, target files, ransom note name, extension, C&C URL, and more.
“It mainly targets VM-related files on VMWare ESXI servers, such as VMDK files”. Furthermore, the DarkSide ransomware runs ESXCLI commands to get vSAN and storage information on the victim machine.
It also lists and kills running VMs on the infected ESXI host before encryption. Finally, it drops a ransom note on the encrypted directories on the victim machine”, according to the analysis of TrendMicro.