BlackBasta is the latest ransomware to target ESXi virtual machines on Linux

BlackBasta is the latest ransomware to target ESXi virtual machines on Linux

BlackBasta, an alleged subdivisionof the ransomware group Conti, just began supporting the encryption of VMware’s ESXi virtual machines (VM) installed on enterprise Linuxservers. Because more and more organizations have begun using VMs for cost-effectiveness and easier management of devices, this change in tactic makes sense.

An ESXi VMis a bare-metal hypervisorsoftware. Software can be characterized as “bare metal” if installed directly onto the physical machine, between the hardware and the operating system.

Siddharth Sharma and Nischay Hegde, threat researchers from Uptycs, were the first to spot and reveal BlackBasta’s tactical change in a report.

On Linux: BlackBasta 101

BlackBasta first appeared in April 2022 after the group ramped up their attacks against dozens of organizations. Although the brand seems relatively new, the way the group quickly accumulates victims, as well as their negotiation tactics, betray a level of experience not seen in fledgling and inexperienced online criminal gangs. This is probably why many cybersecurity communitiesassociate them with known ransomware actors, particularly Conti.

Like other ransomware variants targeting Linux systems, BlackBasta encrypts the /vmfs/volumesfolder. This is where virtual machines on ESXi servers are stored. Encrypting the files here will render VMs unusable.

If it cannot find this folder, however, the ransomware exits.

BlackBasta ransomware uses ChaCha20, a cryptographic algorithm known for its speed, to encrypt files. This is run in parallel with multithreading to make encryption faster, further avoid detection, and increase ransomware throughput.

Once files are encrypted, the extension .bastais appended at the end of all affected files. BlackBasta also drops the ransom note, readme.txt, which contains a unique ID and a URL to a chat support channel accessible only using Tor.

A section of the ransom note reads:

Your data are stolen and encryptedThe data will be published on TOR website if you do not pay the ransomYou can contact us and decrypt one file for free on this TOR site(you should download and install TOR browser first{URL redacted}

Protect your Linux ESXi VM against ransomware attacks

Vincent Bariteau, Threat Intelligence Support Analyst at Malwarebytes, recommends organizations follow these best practices to protect their Linux servers against ransomware attacks if they’re using ESXi VM:

  • Harden the SSH (Secure Shell) access to allow only a specific user to use it.
  • Disable SSH if it’s not needed, or only make it available from a specific network/IP address via a firewall configuration.
  • Ensure that you are following VMWare’s general security recommendations for ESXi.

Organizations also have the option of using a free, open-sourced tool called Lynis, which is an auditing tool.

You can also read our article on 5 Linux malware families SMBs should protect themselves against.


Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.