"Linux version of Qilin ransomware focuses on VMware ESXi"
Security researcher MalwareHunterTeam has found a sample of the Qilin ransomware gang's VMware ESXi encryptor, and it could be one of the most advanced and customizable Linux encryptors seen to date. The researcher noted that enterprises are increasingly moving to virtual machines to host their servers, as they allow for better usage of available CPU, memory, and storage resources. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi encryptors to target these servers. The researcher noted that while many ransomware operations utilize the leaked Babuk source code to create their encryptors, a few, such as Qilin, create their own encryptors to target Linux servers. The researchers stated that while the encryptor can be used on Linux, FreeBSD, and VMware ESXi servers, it heavily focuses on encrypting virtual machines and deleting their snapshots. Qilin's encryptor is built with an embedded configuration specifying the extension for encrypted files, the processes to terminate, the files to encrypt or exclude, and the folders to encrypt or exclude. The researcher noted that it also includes numerous command-line arguments allowing extensive customization of these configuration options and how files are encrypted on a server. These command line arguments include options to enable a debug mode, perform a dry run without encrypting any files, or customize how virtual machines and their snapshots are encrypted.
BleepingComputer reports: "Linux version of Qilin ransomware focuses on VMware ESXi"