[MART] - Daily Diary #305 - New HelloKitty Ransomware Variant Targeting ESXi Servers

CTAS-MAT ctas-mat at appgate.com
Thu Jul 15 22:10:10 UTC 2021 

Hello,
I hope everyone is doing well!

Below is the entry for today.

07/15/2021 - Diary entry #305

First discovered in 2020, HelloKitty ransomware is a human-driven ransomware, mainly found on targeted attacks. The threat actors behind it adopt the double-extortion model, stealing data before encrypting it and threatening to publish if the ransom is not payed. For the encryption process HelloKitty ransomware can use either the famous combination of AES-256 + RSA-2048 or AES-128 + NTRU (a post-quantum cryptography algorithm). Initially, this threat was Windows only, but recent versions have been found using Golang compiled binaries to attack Linux machines as well (a trend covered in our Daily Diary #186).

HelloKitty Ransomware became very famous after the CD Projekt Red attack, covered in our Daily Diary #204. In this incident they managed to steal the source code of several games. This week a new variant of HelloKitty Ransomware has been found targeting ESXi servers. The new payload embed functions to stop VMware server virtual machines, and focus on encrypting VMware virtual hard disks and other files associated with virtual machines and snapshots.

In our Daily Diary #294 we covered a Sodinokibi variant also targeting ESXi servers. This capability highly increases the damage on network architectures built around Virtual Machines, as if the ESX server is compromised, many others are damaged as well. We recommend system administrators running ESX servers to redouble their security measures, preferably adopting a zero trust methodology and segmenting the ESX server network from the others.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Security Researcher
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210715/03716b9a/attachment.html>

More information about the MART mailing list