The new ransomware strain Black Basta is now actively targeting VMware ESXi servers in an ongoing campaign, encrypting files inside a targeted volumes folder.

2 Min Read
faceless hacker with a hooded sweatshirt against a black background with the word "ransomware"
Source: Igor Stevanovic, via Alamy Stock Photo

The Black Basta ransomware emerged last month to target Windows-based systems only, but now the latest ransomware binary is going after VMware virtual machines (VMs). 

The latest variant looks to encrypt VMs present inside the volumes folder (/vmfs/volumes) on ESXi-based systems and servers, according to research shared with Dark Reading by Uptycs. It uses the ChaCha20 algorithm to encrypt the files, researchers say, and also multithreading for encryption to utilize multiple processors and make itself faster and harder to detect.

“Provided that the resources on the servers are much more than on a normal system, using these kinds of mechanisms makes the ransomware work much faster for encrypting files,” explains Uptycs security researcher Siddharth Sharma.

He tells Dark Reading that the attackers are constantly making advancements in the malware attack chain to target more and more victims – just like in this case, which the team could see by the addition of the "*nix" component inside the binary.

“Most of the organizations that have private clouds based on VMware ESXi hosts, or organizations that use ESXi hosts to store data and other operational work, it becomes important to keep a close eye and monitoring mechanisms on sensitive folders [and data] present inside the systems and servers,” he said.

During Uptycs’ investigation and analysis of the ransomware binary, it found evidence indicating that the actors behind this campaign are the same ones behind early Black Basta campaigns.

“We found the onion link for the attacker's chat panel was the same as previous versions of the Black Basta ransomware binaries, which targeted Windows systems,” Sharma said.

Along with that, the extension used by the ransomware binary on encrypted files was the same as previous versions (.basta).

The Uptycs finding follows research by the NCC Group, which Tuesday uncovered a new partnership between Black Basta and the Qbot (aka Qakbot) malware family, which steals bank credentials, Windows domain credentials, and delivers malware onto infected systems.

During a recent incident response, the Black Basta gang was observed using Qbot to spread laterally throughout the network.

“Qakbot was the primary method utilized by the threat actor to maintain their presence on the network," the report stated.

Other hallmarks of the campaign included:

  • Gathering internal IP addresses of all hosts on the network.

  • Disabling Windows Defender.

  • Deleting Veeam backups from Hyper-V servers.

  • Use of WMI to push out the ransomware.

YouAttest CEO Garret Grajek tells Dark Reading that the key takeaway from this advisory is the collaboration and integration of hacking components and groups.

“One group discovers the vulnerability, another creates the exploit, and yet another mans the C2 [command and control] center to receive the communication from the infected host,” Grajek says. “The seriousness and efficiency of the collaboration cannot be underestimated.”

He advises enterprises to implement concepts like zero trust and stringent identity governance to know what permissions they have granted to all accounts -- and to watch for any changes.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights