Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Ongoing Ransomware Campaign Targeting VMware ESXi Servers
Alerts

Ongoing Ransomware Campaign Targeting VMware ESXi Servers

28 April 2023

An ongoing ransomware campaign has been found deploying a Linux encryptor that targets virtual machines (VM) on VMware ESXi servers. The Linux encryptor appears to be created explicitly for attacking VMware ESXi systems, as it contains multiple references to commands used to manage virtual machines.

Possible indicators of compromise (IOCs) associated with the ongoing ransomware campaign are shown in the table below.

Indicators of compromise

Type

Indicator

Description

File Hash

55b85e76abb172536c64a8f6cf4101f943ea826042826759ded4ce46adc00638

SHA256

File Hash

b376d511fb69085b1d28b62be846d049629079f4f4f826fd0f46df26378e398b

SHA256

File Hash

d68c99d7680bf6a4644770edfe338b8d0591dfe143278412d5ed62848ffc99e0

SHA256

File Name

vmlist.tmp.txt

Enumerates the ESXi VMs currently running on the system

Administrators may wish to consider tracking and blocking IOCs associated with the malware, which includes the malware hashes and monitoring for unauthorised access to the vmlist.tmp.txt file.

Users and administrators may refer to our advisory on how to protect their systems and data from ransomware threats here.

If your organisation is a victim of a ransomware incident, please refer to our ransomware response checklist here.

More information is available here:

https://www.bleepingcomputer.com/news/security/linux-version-of-rtm-locker-ransomware-targets-vmware-esxi-servers/

https://www.uptycs.com/blog/rtm-locker-ransomware-as-a-service-raas-linux

Back to top