A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date.
The enterprise is increasingly moving to virtual machines to host their servers, as they allow for better usage of available CPU, memory, and storage resources.
Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi encryptors to target these servers.
While many ransomware operations utilize the leaked Babuk source code to create their encryptors, a few, such as Qilin, create their own encryptors to target Linux servers.
Qilin targets VMware ESXi
Last month, security researcher MalwareHunterTeam found a Linux ELF64 encryptor for the Qilin ransomware gang and shared it with BleepingComputer to analyze.
While the encryptor can be used on Linux, FreeBSD, and VMware ESXi servers, it heavily focuses on encrypting virtual machines and deleting their snapshots.
Qilin's encryptor is built with an embedded configuration specifying the extension for encrypted files, the processes to terminate, the files to encrypt or exclude, and the folders to encrypt or exclude.
However, it also includes numerous command-line arguments allowing extensive customization of these configuration options and how files are encrypted on a server.
These command line arguments include options to enable a debug mode, perform a dry run without encrypting any files, or customize how virtual machines and their snapshots are encrypted.
Qilin Linux encryptorSource: BleepingComputer
The full list of command line options are listed below:
OPTIONS:
-d,--debug Enable debug mode (logg ..
Support the originator by clicking the read the rest link below.