New Linux Variant Of RansomHub Attacking ESXi Systems

Hackers often attack ESXi systems, as they are widely used in enterprise environments to manage virtualized infrastructure, making them lucrative targets.

Threat actors can exploit security flaws in ESXi to deploy ransomware and perform other malicious activities, significantly increasing the effect on the affected organizations.


Recorded Future recently discovered that a new Linux variant of RansomHub has been actively attacking the ESXi systems.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot

RansomHub Attacking ESXi Systems

RansomHub is a RaaS platform that began operating in February 2024; it attacks various operating systems with malware written in Go and C++.

This pays out 90% commission, which entices experienced affiliates, leading to 45 victims from IT departments across 18 nations.

Some similarities exist between the ransomware and ALPHV and Knight Ransomware codes, indicating possible connections.

Organizations should consider immediate and long-term security measures to contain this emerging threat.

In February 2024, a new ransomware platform called RansomHub was presented on the Ramp forum by “koley” which features Go and C++ malware with many functionalities that target Windows, Linux, and ESXi systems.

This approach is typical of multi-OS environments and shows how cross-platform attacks increased sevenfold between 2022 and 2023, consequently expanding the victim count incredibly.

RansomHub’s high 90% commission rate appeals to seasoned affiliates, resulting in rapid growth. In this regard, it has hit 45 victims in 18 countries, mainly focusing on the IT industry.

This means a “big game hunting” approach, targeting high-value victims who are likely to pay large ransoms because of costly operational downtimes.

By taking advantage of misconfigured Amazon S3 instances, RansomHub affiliates got into backups for several clients. Then they used threats to those backup providers in an extortion scheme meant to induce them into buying the data.

The strategy capitalizes on provider-client trust bonds. They recently became well-known for vending 4TB of stolen information obtained from Change Healthcare, a healthcare tech firm based in the United States.

The Insikt Group affirmed that the RansomHub is closely related to ALPHV (BlackCat) and Knight Ransomware owing to certain code similarities. RansomHub uses encrypted file password settings to prevent analysis.

A potential mitigation strategy is altering this file so that it stops functioning by modifying /tmp/ made by ESXi version of the ransomware as it only allows one instance of the ransomware.


Here below, we have mentioned all the mitigations:-

  • Segment network to limit lateral movement.
  • Use SIEM for centralized logging and detection.
  • Implement EDR with YARA/Sigma rules.
  • Enforce the least privilege & MFA for remote access.
  • Regular offline and isolated data backups.
  • Conduct consistent system audits.
  • Keep all systems patched and updated.
  • Use YARA, Sigma, and Snort rules for malware detection.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.