Linux version of Qilin ransomware focuses on VMware ESXi

Trending 3 months ago

Qilin ransomware

A sample of the Qilin ransomware gang's VMware ESXi encryptor has been begin and it could be one of the best beat and customizable Linux encryptors apparent to date.

The action is added affective to basic machines to host their servers, as they acquiesce for bigger acceptance of accessible CPU, memory, and accumulator resources.

Due to this adoption, about all ransomware gangs accept created committed VMware ESXi encryptors to ambition these servers.

While abounding ransomware operations utilize the leaked Babuk antecedent code to actualize their encryptors, a few, such as Qilin, actualize their own encryptors to ambition Linux servers.

Qilin targets VMware ESXi

Last month, aegis researcher MalwareHunterTeam found a Linux ELF64 encryptor for the Qilin ransomware assemblage and aggregate it with BleepingComputer to analyze.

While the encryptor can be acclimated on Linux, FreeBSD, and VMware ESXi servers, it heavily focuses on encrypting basic machines and deleting their snapshots.

Qilin's encryptor is complete with an anchored agreement allegorical the addendum for encrypted files, the processes to terminate, the files to encrypt or exclude, and the folders to encrypt or exclude.

However, it additionally includes abundant command-line arguments acceptance all-encompassing customization of these agreement options and how files are encrypted on a server.

These command band arguments accommodate options to accredit a alter mode, accomplish a dry run after encrypting any files, or adapt how basic machines and their snapshots are encrypted.

Qilin Linux encryptorQilin Linux encryptor
Source: BleepingComputer

The abounding account of command band options are listed below:

OPTIONS: -d,--debug Enable alter approach (logging akin set to DEBUG, disables backgrounding) --dry-run Perform browse for files to be processed, do not adapt them -h,--help This help -l,--log-level <number> Set logging level. Values are from 0 for FATAL up to 5 for DEBUG --no-df Ignore configured white-/black- lists of directories --no-ef Ignore configured white-/black- lists of extensions --no-ff Ignore configured white-/black- lists of files --no-proc-kill Disables action kill -R,--no-rename Disables rename of completed files --no-snap-rm Disables snapshot deletion --no-vm-kill Disables VM kill -p,--path <string> Specifies top-level agenda for files search --password <string> Password for startup -r,--rename Enables rename of completed files (default) -t,--timer <number> Enabled timed adjournment afore encryption (seconds) -w,--whitelist Use whitelists for admittance instead of blacklists for exclusion (later is absence behavior) -y,--yes Assume acknowledgment 'yes' on all questions (script mode)

In the sample analyzed by BleepingComputer.com, the encryptor is configured by absence with the afterward exclusions and targeting criteria:

Processes to not terminate:

"kvm", "qemu", "xen"

Directories to exclude from encryption:

"/boot/", "/proc/", "/sys/", "/run/", "/dev/", "/lib/", "/etc/", "/bin/", "/mbr/", "/lib64/", "/vmware/lifecycle/", "/vdtc/", "/healthd/"

Files to exclude from encryption:

"initrd", "vmlinuz", "basemisc.tgz", "boot.cfg", "bootpart.gz", "features.gz", "imgdb.tgz", "jumpstrt.gz", "onetime.tgz", "state.tgz", "useropts.gz"

File extensions to exclude from encryption:

"v00", "v01", "v02", "v03", "v04", "v05", "v06", "v07", "v08", "v09", "b00", "b01", "b02", "b03", "b04", "b05", "b06", "b07", "b08", "b09", "t00", "t01", "t02", "t03", "t04", "t05", "t06", "t07", "t08", "t09"

Directories to ambition for encryption:

"/home", "/usr/home", "/tmp", "/var/www", "/usr/local/www", "/mnt", "/media", "/srv", "/data", "/backup", "/var/lib/mysql", "/var/mail", "/var/spool/mail", "/var/vm", "/var/lib/vmware", "/opt/virtualbox", "/var/lib/xen", "/var/opt/xen", "/kvm", "/var/lib/docker", "/var/lib/libvirt", "/var/run/sr-mount", "/var/lib/postgresql", "/var/lib/redis", "/var/lib/mongodb", "/var/lib/couchdb", "/var/lib/neo4j", "/var/lib/cassandra", "/var/lib/riak", "/var/lib/influxdb", "/var/lib/elasticsearch"

Files to ambition for encryption:

"3ds", "3g2", "3gp", "7z", "aac", "abw", "ac3", "accdb", "ai", "aif", "aiff", "amr", "apk", "app", "asf", "asx", "atom", "avi", "bak", "bat", "bmp", "bup", "bz2", "cab", "cbr", "cbz", "cda", "cdr", "chm", "class", "cmd", "conf", "cow", "cpp", "cr2", "crdownload", "cs", "csv", "cue", "cur", "dat", "db", "dbf", "dds", "deb", "der", "desktop", "dmg", "dng", "doc", "docm", "dot", "dotm", "dotx", "dpx", "drv", "dtd", "dvi", "dwg", "dxf", "eml", "eps", "epub", "f4v", "fnt", "fon", "gam", "ged", "gif", "gpx", "gz", "h264", "hdr", "hpp", "hqx", "htm", "html", "ibooks", "ico", "ics", "iff", "image", "img", "indd", "iso", "jar", "java", "jfif", "jpe", "jpeg", "jpf", "jpg", "js", "json", "jsp", "key", "kml", "kmz", "log", "m4a", "m4b", "m4p", "m4v", "mcd", "mdbx", "mht", "mid", "mkv", "ml", "mobi", "mov", "mp3", "mp4", "mpa", "mpeg", "mpg", "msg", "nes", "numbers", "odp", "ods", "odt", "ogg", "ogv", "otf", "ova", "ovf", "pages", "parallels", "pcast", "pct", "pdb", "pdf", "pds", "pef", "php", "pkg", "pl", "plist", "png", "pptm", "prproj", "ps", "psd", "ptx", "py", "qcow", "qcow2", "qed", "qt", "r3d", "ra", "rar", "rm", "rmvb", "rtf", "rv", "rw2", "sh", "shtml", "sit", "sitx", "sketch", "spx", "sql", "srt", "svg", "swf", "tar", "tga", "tgz", "thmx", "tif", "tiff", "torrent", "ttf", "txt", "url", "vdi", "vhd", "vhdx", "vmdk", "vmem", "vob", "vswp", "vvfat", "wav", "wbmp", "webm", "webp", "wm", "wma", "wmv", "wpd", "wps", "xhtml", "xlsm", "xml", "xspf", "xvid", "yaml", "yml", "zip", "zipx"

Configuring a account of basic machines that should not be encrypted is additionally possible.

When active the encryptor, a blackmail abecedarian charge specify the starting agenda for encryption and a specific countersign angry to the encryptor.

When executed, the ransomware will actuate if it is active in Linux, FreeBSD, or VMware ESXi server.

If it detects VMware ESXi, it will run the following esxcli and esxcfg-advcfg commands, which we accept not apparent in added ESXi encryptors in the past.

for I in $(esxcli accumulator filesystem account |grep 'VMFS-5' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null; vmkfstools -U $I/eztDisk > /dev/null; done for I in $(esxcli accumulator filesystem account |grep 'VMFS-5' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk; vmkfstools -U $I/eztDisk; done for I in $(esxcli accumulator filesystem account |grep 'VMFS-6' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null; vmkfstools -U $I/eztDisk > /dev/null; done for I in $(esxcli accumulator filesystem account |grep 'VMFS-6' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk; vmkfstools -U $I/eztDisk; done esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity esxcfg-advcfg -s 20000 /BufferCache/FlushInterval

VMware able Melissa Palmer told BleepingComputer that these commands were acceptable affected from VMware abutment bulletins to boldness a known VMware anamnesis abundance burnout bug and increase performance back active ESXi commands on the server.

Before encrypting any detected basic machines, the ransomware will aboriginal abolish all VMs and annul their snapshots application the afterward commands:

esxcli vm action list vim-cmd vmsvc/getallvms esxcli vm action annihilate -t force -w %llu vim-cmd vmsvc/snapshot.removeall %llu > /dev/null 2>&1

All targeted files will again be encrypted and accept the configured addendum added to the book name. 

In anniversary folder, a bribe agenda called [extension]_RECOVER.txt will be created that contains links to the ransomware gang's Tor agreement armpit and the login accreditation appropriate to acceptance the victim's babble page.

Qilin bribe noteQilin bribe note
Source: BleepingComputer

BleepingComputer has apparent bribe demands alignment from $25,000 to millions of dollars.

The Qilin ransomware operation

The Qilin ransomware operation was initially launched as "Agenda" in August 2022. However, by September, it had rebranded beneath the name Qilin, which it continues to accomplish as to this day.

Like added enterprise-targeting ransomware operations, Qilin will aperture a company's networks and abduct abstracts as they advance alongside to added systems.

When done accession abstracts and accepting server agent credentials, the blackmail actors arrange the ransomware to encrypt all accessories on the network.

The baseborn abstracts and the encrypted files are again acclimated as advantage in double-extortion attacks to beset a aggregation into advantageous a bribe demand.

Since its launch, the ransomware operation has had a abiding beck of victims but has apparent added action appear the end of 2023.

A contempo advance by Qilin was on the auto-parts behemothic Yanfeng.