VMware ESXi subjected to attacks with RansomHub for Linux

Attacks with a new Linux encryptor have been deployed by the RansomHub ransomware-as-a-service operation against VMware ESXi environments, reports BleepingComputer.

Believed to be based on discontinued Knight ransomware, RansomHub's Linux encryptor not only enables configuration decryption and execution delays but also allows additional progress info logging to console, snapshot removals, and virtual machine shutdowns, according to a report from Recorded Future's Insikt Group.

RansomHub for Linux has also been thwarting detection by deactivating several critical services, including syslog, and enabling self-deletion, said researchers, who noted the encryptor's utilization of ChaCha20 and Curve25519 encryption for public and private key generation.

Organizations looking to neutralize RansomHub for Linux attacks on their VMware ESXi environments have been urged to add '-1' to their systems' '/tmp/app.pid' file, which would result in an endless loop of ending a nonexistent process.

Such findings come more than a month after a report on the group's Windows and Linux encryptor.