New ransomware threat against ESXi Linux servers: HelloKitty
In recent days we identified a new variant of the known HelloKitty Ransomware. The new variant, in circulation since March, interacts with the esxicli software, the command-line management tool for ESXi virtual machines. The MalwareHunter team published evidence of esxicli-related commands associated with a new variant of the ransomware:
Seems no one mentioned yet, so let me do it: the Linux version of HelloKitty ransomware was already using esxcli at least in early March for stopping VMs…@VK_Intel @demonslay335 pic.twitter.com/atSv0OO7YL
— MalwareHunterTeam (@malwrhunterteam) July 14, 2021
VMWare ESXi
ESXi is a bare-metal hypervisor developed and distributed by VMWare for enterprise users. The software installs on any server and allows the creation and control of virtual machines with extreme ease. This enables virtual machines to share the same storage space.
This product has been targeted for a long time, and, increasingly rapidly, several criminal groups have adapted by developing dedicated malware variants. Among the new malware variants in circulation targeting ESXi servers (also known as ESX servers), we observed the HelloKitty ransomware, whose functionality has been enriched with esxicli commands for shutting down virtual machines.
ESXi Vulnerabilities
Multiple vulnerabilities in ESXi servers have been discovered over the years. The most dangerous concern remote code execution (RCE), both with user privileges and administrative privileges.
Nearly half of the CVEs that received categorisation are associated with the possibility of code execution. This is one of the main reasons why criminals have taken interest in ESXi systems.
Another alarming data point is represented by the fact that approximately 20% of CVEs have a score above 60.
Among the latest published CVEs, those requiring greatest attention are CVE-2021-21972 for the vSphere Client (HTML5) component and CVE-2020-3992 for the OpenSLP service, both categorised as RCE (Remote Command Execution) vulnerabilities.
The HelloKitty Ransomware
The HelloKitty ransomware, also known as Kitty Ransomware, is distributed via malspam emails or executed in the system following initial perimeter compromise. The threat actors distributing this specific ransomware are less active compared to other groups (such as REvil, Avaddon, DarkSide). For this reason, significantly less information exists about this group and their compromise and extortion methods.
One of the latest attacks attributed to this criminal group that attracted significant attention was against the software house CD Projekt Red:
Important Update pic.twitter.com/PCEuhAJosR
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
HelloKitty’s behaviour is very similar to that of other ransomware: it terminates Windows processes and services; encrypts files present in the system with its own extension (.kitty or .crypted); deletes shadow copies of encrypted data to prevent restore of the same; and releases a ransom note on affected machines (read_me_lkdtt.txt or read_me_unlock.txt).
Below we show a sample of the ransom note left by the ransomware following an attack on CEMIG (Companhia Energética de Minas Gerais) in 2020.
Hello CEMIG!
All your fileservers, HyperV infrastructure and backups have been encrypted!
Trying to decrypt or modify the files with programs other than our decryptor can lead to permanent loss of data!
The only way to recover your files is by cooperating with us.
To prove our seriousness, we can decrypt 1 non-critical file for free as proof. We have over 10 TB data of your private files, databases, personal data… etc, you have 24 hours to contact us, another way we publish this information in public channels, and this site will be unavailable.The new functionality extending HelloKitty allows identification of the presence of an ESXi server and subsequent interaction with the esxicli tool to shut down the server’s virtual machines. The procedure adopted involves shutdown attempts of machines in soft, hard, and forced modes.
The best solution to prevent a successful attack is to continuously monitor ESXi systems to enable prompt response in case of anomalies. Specialised Managed Detection and Response capabilities provide the necessary visibility into command-line activity and process execution patterns indicative of ransomware deployment.
The recommendation remains to perform system backups and maintain continuous detection posture against ransomware campaigns targeting virtualisation infrastructure.
