RansomHub Now Targets Windows, ESXi, Linux, and FreeBSD

RansomHub has rapidly emerged as a major cybercrime syndicate in 2024–2025, expanding its arsenal to target Windows, VMware ESXi, Linux, and FreeBSD in global attacks.

The group employs advanced evasion techniques, cross-platform encryption, and exploits vulnerabilities in enterprise infrastructure. Group-IB analysts report that RansomHub has compromised over 600 organizations, including those in healthcare, finance, and critical infrastructure.

Multi-OS Encryption Capabilities

RansomHub’s ransomware adapts to different platforms, using specific commands and encryption methods for each.

For Windows, a PowerShell command runs the ransomware with options to set a password, disable networking, and skip certain virtual machines:
powershell RansomHub.exe -pass <SHA256> -fast -disable-net -skip-vm "VM1"

A JSON file, decrypted at runtime, controls whitelisted directories, process termination lists, and credentials for spreading within networks.

The ESXi encryptor, written in C++, shuts down virtual machines with vim-cmd and encrypts files like .vmdk and .vmx using ChaCha20 and Curve25519 encryption. A flaw in the /tmp/app.pid check lets defenders stop encryption by writing -1 to the file, forcing an infinite loop.

Example ESXi code:

if (access(“/tmp/app.pid”, F_OK) == 0) {
pid_t pid = read_pid();
if (kill(pid, 0) == 0) {
kill(pid, SIGKILL);
exit(0);
}
}

The Linux version encrypts files in 1 MB chunks and disables syslog to avoid detection.

On FreeBSD, the ransomware, detected as Ransom.FreeBSD.INTERLOCK.THJBBBD, skips important system folders (/boot, /etc) and adds .interlock to encrypted files.

RansomHub spreads by exploiting known vulnerabilities like CVE-2024-3400 (Palo Alto firewalls) and CVE-2021-42278/CVE-2020-1472 (Active Directory).