{"id":2932,"date":"2021-07-19T14:56:23","date_gmt":"2021-07-19T12:56:23","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=2932"},"modified":"2026-06-08T22:08:52","modified_gmt":"2026-06-08T22:08:52","slug":"hellokitty-ransomware-esxi-linux","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/hellokitty-ransomware-esxi-linux\/","title":{"rendered":"New ransomware threat against ESXi Linux servers: HelloKitty"},"content":{"rendered":"\n<p style=\"text-align: justify\">In recent days we identified a new variant of the known <strong>HelloKitty Ransomware<\/strong>. The new variant, in circulation since March, interacts with the <strong>esxicli<\/strong> software, the command-line management tool for <strong>ESXi<\/strong> virtual machines. The <strong>MalwareHunter<\/strong> team published evidence of esxicli-related commands associated with a new variant of the ransomware:<\/p>\n\n\n\n<blockquote class=\"twitter-tweet\"><p lang=\"en\" dir=\"ltr\">Seems no one mentioned yet, so let me do it: the Linux version of HelloKitty ransomware was already using esxcli at least in early March for stopping VMs&#8230;<a href=\"https:\/\/twitter.com\/VK_Intel?ref_src=twsrc%5Etfw\">@VK_Intel<\/a> <a href=\"https:\/\/twitter.com\/demonslay335?ref_src=twsrc%5Etfw\">@demonslay335<\/a> <a href=\"https:\/\/t.co\/atSv0OO7YL\">pic.twitter.com\/atSv0OO7YL<\/a><\/p>&mdash; MalwareHunterTeam (@malwrhunterteam) <a href=\"https:\/\/twitter.com\/malwrhunterteam\/status\/1415403132230803460?ref_src=twsrc%5Etfw\">July 14, 2021<\/a><\/blockquote> \n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">VMWare ESXi<\/h2>\n\n\n\n<p style=\"text-align: justify\">ESXi is a <strong>bare-metal hypervisor<\/strong> developed and distributed by VMWare for enterprise users. The software installs on any server and allows the creation and control of virtual machines with extreme ease. This enables virtual machines to share the same storage space.<\/p>\n<p><span>This product has been targeted for a long time, and, increasingly rapidly, several criminal groups have adapted by developing dedicated malware variants. Among the new malware variants in circulation targeting ESXi servers (also known as ESX servers), we observed the <\/span><strong>HelloKitty ransomware<\/strong><span>, whose functionality has been enriched with <\/span><strong>esxicli<\/strong><span> commands for shutting down virtual machines.<\/span><\/p>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">ESXi Vulnerabilities<\/h2>\n\n\n\n<p style=\"text-align: justify\">Multiple vulnerabilities in ESXi servers have been discovered over the years. The most dangerous concern remote code execution (<strong>RCE<\/strong>), both with user privileges and administrative privileges.<\/p>\n\n\n\n<div class=\"wp-block-media-text alignwide\" style=\"grid-template-columns:43% auto\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-17.png\" alt=\"\" class=\"wp-image-2938\" loading=\"lazy\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p class=\"has-large-font-size\" style=\"text-align: justify\"><strong>Nearly half of the CVEs<\/strong> that received categorisation are associated with the possibility of code execution. This is one of the main reasons why criminals have taken interest in <strong>ESXi<\/strong> systems.<\/p>\n<\/div><\/div>\n\n\n\n<div class=\"wp-block-media-text alignwide has-media-on-the-right\"><figure class=\"wp-block-media-text__media\"><img decoding=\"async\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/07\/image-19.png\" alt=\"\" class=\"wp-image-2943\" loading=\"lazy\" \/><\/figure><div class=\"wp-block-media-text__content\">\n<p class=\"has-large-font-size\" style=\"text-align: justify\">Another alarming data point is represented by the fact that approximately <strong>20%<\/strong> of CVEs have a score above <strong>60<\/strong>.<\/p>\n<\/div><\/div>\n\n\n\n<p style=\"text-align: justify\">Among the latest published CVEs, those requiring greatest attention are <strong>CVE-2021-21972<\/strong> for the <strong>vSphere Client (HTML5)<\/strong> component and <strong>CVE-2020-3992<\/strong> for the <strong>OpenSLP<\/strong> service, both categorised as <strong>RCE (Remote Command Execution)<\/strong> vulnerabilities.<\/p>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\">The HelloKitty Ransomware<\/h2>\n\n\n\n<p style=\"text-align: justify\">The <strong>HelloKitty<\/strong> ransomware, also known as <strong>Kitty Ransomware<\/strong>, is distributed via <strong><em>malspam<\/em><\/strong> emails or <b>executed<\/b> in the system following initial perimeter compromise. The <strong>threat actors<\/strong> distributing this specific <em>ransomware<\/em> are less active compared to other groups (such as <strong>REvil<\/strong>, <strong>Avaddon<\/strong>, <strong>DarkSide<\/strong>). For this reason, significantly less information exists about this group and their <strong>compromise<\/strong> and <strong>extortion<\/strong> methods.<\/p>\n\n\n\n<p style=\"text-align: justify\">One of the latest attacks attributed to this criminal group that attracted significant attention was against the software house <strong>CD Projekt Red<\/strong>:<\/p>\n\n\n\n<blockquote class=\"twitter-tweet\"><p lang=\"en\" dir=\"ltr\">Important Update <a href=\"https:\/\/t.co\/PCEuhAJosR\">pic.twitter.com\/PCEuhAJosR<\/a><\/p>&mdash; CD PROJEKT RED (@CDPROJEKTRED) <a href=\"https:\/\/twitter.com\/CDPROJEKTRED\/status\/1359048125403590660?ref_src=twsrc%5Etfw\">February 9, 2021<\/a><\/blockquote> \n\n\n\n<p style=\"text-align: justify\">HelloKitty&#8217;s behaviour is very similar to that of other ransomware: it terminates Windows processes and services; encrypts files present in the system with its own extension (<strong>.kitty<\/strong> or <strong>.crypted<\/strong>); deletes <em><strong>shadow copies<\/strong><\/em> of encrypted data to prevent <em>restore<\/em> of the same; and releases a ransom note on affected machines (<strong>read_me_lkdtt.txt<\/strong> or <strong>read_me_unlock.txt<\/strong>).<\/p>\n\n\n\n<p style=\"text-align: justify\">Below we show a sample of the ransom note left by the ransomware following an attack on CEMIG (Companhia Energ\u00e9tica de Minas Gerais) in 2020.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Hello CEMIG!\n\nAll your fileservers, HyperV infrastructure and backups have been encrypted!\n\nTrying to decrypt or modify the files with programs other than our decryptor can lead to permanent loss of data!\n\nThe only way to recover your files is by cooperating with us.\n\nTo prove our seriousness, we can decrypt 1 non-critical file for free as proof. We have over 10 TB data of your private files, databases, personal data\u2026 etc, you have 24 hours to contact us, another way we publish this information in public channels, and this site will be unavailable.<\/code><\/pre>\n\n\n\n<p style=\"text-align: justify\">The new functionality extending HelloKitty allows identification of the presence of an ESXi server and subsequent interaction with the <strong>esxicli<\/strong> tool to shut down the server&#8217;s virtual machines. The procedure adopted involves shutdown attempts of machines in <strong>soft<\/strong>, <strong>hard<\/strong>, and <strong>forced<\/strong> modes.<\/p>\n\n\n\n<p style=\"text-align: justify\">The best solution to prevent a successful attack is to continuously monitor ESXi systems to enable prompt response in case of anomalies. Specialised <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> capabilities provide the necessary visibility into command-line activity and process execution patterns indicative of ransomware deployment.<\/p>\n\n\n\n<p style=\"text-align: justify\">The recommendation remains to perform system backups and maintain continuous detection posture against ransomware campaigns targeting virtualisation infrastructure.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>HelloKitty ransomware variant targeting VMware ESXi Linux hypervisors: encryption of virtual machine files, hypervisor-level impact and detection considerations.<\/p>\n","protected":false},"author":1,"featured_media":1618,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[129,130,168,3135,3134,378],"class_list":["post-2932","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-esx","tag-esxi","tag-hellokitty","tag-hypervisor-attack","tag-linux-ransomware","tag-vmware"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2932","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=2932"}],"version-history":[{"count":1,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2932\/revisions"}],"predecessor-version":[{"id":9847,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/2932\/revisions\/9847"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=2932"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=2932"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=2932"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}