Ransomware and Virtual Servers

The notorious criminal group Pinchy Spider, known for its RaaS (Ransomware as a Service) offering Revil, has developed a new ransomware variant designated REvix, targeting Linux and ESXi environments. The new ransomware expands the attack surface available to affiliates and consequently increases opportunities for ransom demands.

Ransomware objectives

The ransomware has been engineered to target Linux-based and ESXi environments. The latter has been subject to multiple vulnerabilities in recent months, enabling attackers to execute remote commands with administrative privileges (CVE-2021-21972).

REvix is distributed as a 64-bit ELF executable and can encrypt files on any Linux system with Intel x86-64 architecture capable of dynamically linking glibc 2.2.5 or loading ELF files.

ESXi variant

Like Pinchy Spider, other criminal groups have successfully developed ESXi-specific ransomware variants. Notable actors include Carbon Spider, known for the Darkside ransomware, and Sprite Spider, already established for its DEFRAY777 ransomware capable of targeting ESXi environments.

The increasing adoption of virtualization platforms and systems has driven criminal groups to focus on infrastructure enabling such technology, particularly VMware. We tracked this shift as attackers recognize that Managed Detection and Response capabilities remain inconsistently deployed across virtualization layers. Enhanced security posture in these environments is therefore necessary to mitigate consequences following ransomware deployment. The convergence of ransomware development toward hypervisor-targeting variants reflects the operational reality that compromised virtual infrastructure provides attackers with rapid lateral movement and mass encryption capabilities across multiple guest systems.