Published on 28 Apr 2023 | Updated on 28 Apr 2023
An ongoing ransomware campaign has been found deploying a Linux encryptor that targets virtual machines (VM) on VMware ESXi servers. The Linux encryptor appears to be created explicitly for attacking VMware ESXi systems, as it contains multiple references to commands used to manage virtual machines.
Possible indicators of compromise (IOCs) associated with the ongoing ransomware campaign are shown in the table below.
|File Name||vmlist.tmp.txt||Enumerates the ESXi VMs currently running on the system|
Administrators may wish to consider tracking and blocking IOCs associated with the malware, which includes the malware hashes and monitoring for unauthorised access to the vmlist.tmp.txt file.
Users and administrators may refer to our advisory on how to protect their systems and data from ransomware threats here.
If your organisation is a victim of a ransomware incident, please refer to our ransomware response checklist here.
More information is available here: