New DarkSide Ransomware Linux Variant Particularly Targets VMware ESXI servers

In recent times Trend Micro Research unrevealed that the DarkSide ransomware is targeting organizations in manufacturing, finance, and critical infrastructures in regions such as the United States, France, Belgium, and Canada.

The DarkSide ransomware targets both Windows and Linux platforms. Now, the researchers also noticed that the Linux variant, in particular, targets ESXI servers.

The Behaviour of the Linux Variant that Targets VMware ESXI Servers

The DarkSide ransomware has a Linux variant to infect more machines and cause more damage to the victim network. Still, this variant is quite specific, as its main configuration targets VM-related files on VMware ESXI servers.

Target File Extensions

The configuration of the Linux variant specifies features, such as the extension for encrypted files, C&C URL, number of threads, and a constraint on the minimum size of the target files to be encrypted.

The ransomware executable can accept parameters to infect more files and change its default settings. DarkSide runs several ESXCLI commands (such as the command-line interface framework in vSphere) to collect information about the infected ESXI host, such as the running virtual machinesVMs, storage-related information, and vSAN- related information.

The Linux variant of the DarkSide ransomware uses a ChaCha20 stream cipher (a variant of the Salsa20 family of stream ciphers) with RSA-4096 to encrypt targeted files on the victim machine.

The Ransomware performs a file size check before encryption and malware then opens the target file, reads the content based on the part and space size given in the configuration or the parameters, encrypts them, and writes to the file.

The analysis says that “the Linux variant drops a ransom note on the victim machine and adds a new file extension to the encrypted files and the malware does not add any ID at the end of it. Subsequently, it collects system information on the victim machine, such as hostname, domain, and disk information”.

System Information Collection

The research says that the DarkSide ransomware family targets both Windows and Linux platforms and there are similarities between the Linux and Windows variants, but they are different concerning some features, such as encryption mechanism, target files, ransom note name, extension, C&C URL, and more.

“It mainly targets VM-related files on VMWare ESXI servers, such as VMDK files”. Furthermore, the DarkSide ransomware runs ESXCLI commands to get vSAN and storage information on the victim machine.

It also lists and kills running VMs on the infected ESXI host before encryption. Finally, it drops a ransom note on the encrypted directories on the victim machine”, according to the analysis of TrendMicro.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Volkswagen Hacked – Hackers Stolen 19,000 Documents From VW Server

Volkswagen, one of the world's leading automotive manufacturers, has fallen victim to a sophisticated hacking…

3 hours ago

Beware Of Fake MetaMask Android Apps That Steal Login Details

Threat actors exploit fake Android apps primarily for illicit reasons, such as stealing sensitive and…

4 hours ago

CrushFTP Zero-Day Could Allow Attackers To Gain Complete Server Access

CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0. The vulnerability allows…

5 hours ago

IBM QRadar XSS Flaw Let Attackers Arbitrary JavaScript Code

A significant vulnerability was detected in IBM QRadar Suite Software and Cloud Pak for Security,…

5 hours ago

Seedworm Hackers Exploit RMM Tools to Deliver Malware

The notorious hacking group Seedworm, also known as MuddyWater, has been found exploiting legitimate remote…

5 hours ago

WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

A critical vulnerability in the WP Datepicker WordPress plugin was identified, affecting over 10,000 active…

6 hours ago