AvosLocker cybergang wants to encrypt VMware ESXi VMs

Virtual machines are popular with hackers. We understand why, because a single malicious command targeting this VMware ESXi environment quickly encrypts data from the servers on which it is installed. And a great opportunity for cybergangs to maximize earnings. Many of them have understood this and have in recent months designed variants of their ransomware to attack servers hosting ESXi hypervisors. This is the case for example of Babuk, DarkSide, Mespinoza, RansomExx / Defray or even recently of REvil.

In its wake, it will also now be necessary to count on AvosLocker, a group of cybercriminals which appeared in the course of last summer who do not hesitate to advertise themselves on dark net forums to find affiliates. Positioned on the juicy RaaS (ransomware as a service) niche, AvostLocker launched last October variants of its ransomware (avos2 and avoslinux). Security research group MalwareHunterTeam explained that AvosLocker started using Linux cryptolocker from November 2021.

A Linux version of an ESXi-cut ransomware

As a reminder, ESXi is VMware’s type 1 hypervisor for creating and running virtual machines. It can be installed directly at the hardware level of a host server to manage several client VMs and share virtualized resources with them (memory, computing capacities, etc.). “The reason most ransomware groups have implemented a Linux-based version of their ransomware is to specifically target ESXi,” says Fabian Wosarn, CTO of Emsisoft.

When started on a Linux system, AvosLocker will shut down all virtual machines managed by ESXi on a server with a single command. Once it runs on a compromised system, the ransomware appends the .avoslinux extension to all encrypted files and ransom notes are displayed. These specify not to shut down systems to avoid file corruption and redirect to a Tor link to pay a ransom. The latter can be particularly salty: according to BleepingCOmputer at least one victim has been asked to pay $ 1 million.