Tag: esxi

12 Attack Reports | 0 Vulnerabilities

Attack reports

VECT: Ransomware by design, Wiper by accident

Check Point Research discovered critical flaws in VECT 2.0 ransomware affecting Windows, Linux, and ESXi platforms. A fundamental encryption implementation error causes files larger than 128 KB to be permanently destroyed rather than encrypted. The malware uses ChaCha20-IETF cipher but only saves o…
lateral movement
wiper
chacha20
esxi
raas
multi-platform
teampcp
2026-04-28
encryption flaw
vect
Published: April 28, 2026
Downloadable IOCs: 7

Kyber Ransomware Double Trouble: Windows and ESXi Attacks Explained

Kyber ransomware represents a significant threat through dual-platform deployment capabilities targeting VMware ESXi virtualization infrastructure and Windows file systems. During a March 2026 incident response engagement, two Kyber payloads were recovered from the same environment. The ESXi varian…
rust
cross-platform
esxi
chacha8
virtualization
vmware
hyper-v
2026-04-22
kyber
Published: April 22, 2026
Downloadable IOCs: 3

LockBit strikes with new 5.0 version, targeting Windows, Linux and ESXI systems

LockBit 5.0, the latest version of the notorious ransomware, has been released with support for Windows, Linux, and ESXi systems. This update brings improved defense evasion, faster encryption, and enhanced modularity. The Windows variant employs extensive anti-analysis techniques, while Linux and …
linux
ransomware
windows
lockbit
encryption
smokeloader
esxi
infrastructure
double-extortion
virtualization
defense-evasion
2026-02-12
Published: February 12, 2026
Downloadable IOCs: 6

From Linear to Complex: An Upgrade in RansomHouse Encryption

RansomHouse, a ransomware-as-a-service operation run by Jolly Scorpius, has undergone a significant upgrade in encryption methods. The attack chain involves operators developing tools, attackers deploying ransomware, and victims being targeted. Two key components, MrAgent and Mario, are used to com…
encryption
ransomware-as-a-service
esxi
ransomhouse
virtualization
2025-12-17
mario
mragent
Published: December 17, 2025
Downloadable IOCs: 4

License to Encrypt: Make Their Move

'The Gentlemen' ransomware group emerged in July 2025, employing advanced dual-extortion tactics. They encrypt data and exfiltrate sensitive information, threatening to release it unless a ransom is paid. The group developed their own Ransomware-as-a-Service (RaaS) platform after experimenting with…
linux
ransomware
windows
persistence
encryption
esxi
raas
2025-11-19
the gentlemen
dual-extortion
Published: November 19, 2025
Downloadable IOCs: 0

New LockBit 5.0 Targets Windows, Linux, ESXi

Trend Research analyzed the latest version of LockBit ransomware, LockBit 5.0, which exhibits advanced obfuscation, anti-analysis techniques, and cross-platform capabilities for Windows, Linux, and ESXi systems. The Windows variant uses heavy obfuscation and packing, loading its payload through DLL…
obfuscation
ransomware
anti-analysis
encryption
cross-platform
esxi
virtualization
2025-09-29
dll reflection
lockbit 5.0
Published: September 29, 2025
Downloadable IOCs: 5

BERT Ransomware Group Targets Asia and Europe on Multiple Platforms

A newly emerged ransomware group called BERT has been targeting organizations across Asia and Europe since April. The group employs simple code with effective execution, impacting sectors such as healthcare, technology, and event services. BERT's ransomware operates on both Windows and Linux platfo…
linux
ransomware
powershell
windows
encryption
esxi
europe
asia
2025-07-07
bert
Published: July 7, 2025
Downloadable IOCs: 9

Inside BRUTED: Black Basta (RaaS) Used Automated Brute Forcing Framework to Target Edge Network Devices

Black Basta, a ransomware-as-a-service group, has been using an automated brute forcing framework called BRUTED to target edge network devices since 2023. The framework performs internet scanning and credential stuffing against firewalls and VPN solutions in corporate networks. Black Basta prioriti…
ransomware
cobalt strike
black basta
vpn
esxi
brute ratel
raas
edge devices
brute-force
firewall
2025-03-17
credential-stuffing
edge-devices
bruted
2025-04-16
Published: April 16, 2025
Downloadable IOCs: 18

The Anatomy of Abyss Locker Ransomware Attack

Abyss Locker (AKA Abyss ransomware) is a relatively new threat group that emerged in 2023, specializing in swift and decisive intrusions designed to cripple victims with ransomware. Abyss Locker was active throughout 2024, causing multiple incidents investigated by Sygnia. However, no recent techni…
backdoor
ransomware
rclone
persistence
service
esxi
chisel
psexec
2025-02-10
file
locker
abyss locker
defender
smbexec
strong
vulnerable
remcom
impact
story
patch
restrict
velvet
ssh tunneling
Published: February 10, 2025
Downloadable IOCs: 15

Akira ransomware continues to evolve

Akira ransomware has established itself as a prominent threat, constantly evolving its tactics. Initially employing double-extortion, it shifted focus to data exfiltration in early 2024. The group developed a Rust variant of their ESXi encryptor, moving away from C++. Recently, Akira has returned t…
linux
ransomware
windows
rust
CVE-2024-37085
vulnerability exploitation
akira
CVE-2023-27532
esxi
CVE-2024-40766
CVE-2023-48788
double-extortion
CVE-2024-40711
CVE-2023-20269
2024-10-22
CVE-2020-3259
CVE-2023-20263
chacha8
megazord
Published: October 22, 2024
Linked vulnerabilities : CVE-2024-37085 (CVSS 6.8), CVE-2024-40766 (CVSS 9.8), CVE-2024-40711 (CVSS 9.8), CVE-2023-27532, CVE-2023-20269, CVE-2020-3259, CVE-2023-48788, CVE-2023-20263
Downloadable IOCs: 37

THREAT ANALYSIS: Beast Ransomware

The Beast Ransomware group, active since 2022, offers a Ransomware-as-a-Service (RaaS) platform with constant updates. It supports Windows, Linux, and ESXi systems, providing affiliates with customizable binary options. Beast employs advanced encryption methods, including Elliptic-curve and ChaCha2…
linux
windows
encryption
esxi
raas
2024-10-19
geofencing
file-targeting
multithreading
beast ransomware
self-propagation
monster
Published: October 19, 2024
Downloadable IOCs: 0

New Play Ransomware Linux Variant Targets ESXi Shows Ties

The Play ransomware group, known for double-extortion tactics and advanced evasion techniques, has developed a new Linux variant specifically designed to target VMware ESXi environments. This variant aims to encrypt virtual machines (VMs) and associated files, potentially causing significant operat…
2024-07-22
esxi
coroxy
Published: July 22, 2024
Downloadable IOCs: 2
Click here to see more Attack Reports