New Linux Variant of RansomHub Targets ESXi Systems

Hackers frequently target ESXi systems due to their extensive use in managing enterprise virtualized infrastructure, making them attractive targets. Exploiting security flaws in ESXi, threat actors can deploy ransomware and carry out other malicious activities, greatly impacting affected organizations. Recorded Future recently identified a new Linux variant of RansomHub actively attacking ESXi systems.

RansomHub Targets ESXi Systems

RansomHub, a RaaS platform active since February 2024, targets multiple operating systems with malware in Go and C++. It offers a 90% commission to affiliates, attracting experienced hackers and resulting in 45 IT department victims across 18 countries. Its code shows similarities to ALPHV and Knight Ransomware, suggesting possible links.

Organizations should adopt immediate and long-term security measures to combat the emerging threat of RansomHub. Introduced on the Ramp forum by “koley” in February 2024, RansomHub deploys Go and C++ malware targeting Windows, Linux, and ESXi systems.

This multi-OS approach, indicative of a trend where cross-platform attacks increased sevenfold from 2022 to 2023, has significantly expanded the victim count.

RansomHub’s 90% commission rate attracts experienced affiliates, leading to its rapid proliferation. It has already claimed 45 victims across 18 countries, primarily focusing on the IT industry.

RansomHub employs a “big game hunting” approach, targeting high-value victims likely to pay large ransoms due to costly operational downtimes. Affiliates exploit misconfigured Amazon S3 instances to access client backups, then extort backup providers by threatening to sell stolen data.

This strategy leverages provider-client trust bonds. Notably, RansomHub affiliates recently sold 4TB of data stolen from Change Healthcare, a U.S.-based healthcare tech firm.

According to the Insikt Group, RansomHub shares code similarities with ALPHV (BlackCat) and Knight Ransomware, using encrypted file passwords to thwart analysis.

A potential mitigation strategy involves modifying the /tmp/app.pid file created by the ESXi version of the ransomware, which prevents multiple instances of the malware from running. This change can stop the ransomware from functioning.

Mitigations

Here are the mitigation strategies for protecting against ransomware attacks:

1. Network Segmentation:
   • Isolate critical systems from general user access to limit lateral movement within the network.
2. Centralized Logging:
   • Use a SIEM system to collect and analyze logs in real time, helping detect suspicious activities.
3. EDR with YARA/Sigma Rules:
   • Deploy Endpoint Detection and Response solutions and use YARA and Sigma rules to identify ransomware indicators.
4. Least Privilege & MFA:
   • Apply the principle of least privilege and enforce Multi-Factor Authentication for remote access.
5. Regular Backups:
   • Conduct offline and isolated backups of critical data to ensure recovery in case of an attack.
6. System Audits:
   • Perform regular audits to identify and fix vulnerabilities in systems and network configurations.
7. Patching:
   • Keep all systems and applications up-to-date with the latest security patches.
8. Malware Detection Rules:
   • Utilize YARA, Sigma, and Snort rules to detect ransomware and other malware.

Implementing these strategies will help protect against ransomware threats like RansomHub.

‍Follow Us on: Twitter, Instagram, Facebook to get the latest security news!