Ongoing Ransomware Campaign Targeting VMware ESXi Servers

Published on 28 Apr 2023

An ongoing ransomware campaign has been found deploying a Linux encryptor that targets virtual machines (VM) on VMware ESXi servers. The Linux encryptor appears to be created explicitly for attacking VMware ESXi systems, as it contains multiple references to commands used to manage virtual machines.

Possible indicators of compromise (IOCs) associated with the ongoing ransomware campaign are shown in the table below.

Type Indicator Description
File Hash 55b85e76abb172536c64a8f6cf4101f943ea826042826759ded4ce46adc00638 SHA256
File Hash b376d511fb69085b1d28b62be846d049629079f4f4f826fd0f46df26378e398b SHA256
File Hash d68c99d7680bf6a4644770edfe338b8d0591dfe143278412d5ed62848ffc99e0 SHA256
File Name vmlist.tmp.txt Enumerates the ESXi VMs currently running on the system


Administrators may wish to consider tracking and blocking IOCs associated with the malware, which includes the malware hashes and monitoring for unauthorised access to the vmlist.tmp.txt file.

Users and administrators may refer to our advisory on how to protect their systems and data from ransomware threats here.

If your organisation is a victim of a ransomware incident, please refer to our ransomware response checklist here.

More information is available here: