The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines.
With the enterprise moving to virtual machines for easier backups, device management, and efficient use of resources, ransomware gangs increasingly create their own tools to mass encrypt storage used by VMs.
In May, Advanced Intel’s Yelisey Boguslavskiy shared a forum post from the REvil operation where they confirmed that they had released a Linux version of their encryptor that could also work on NAS devices.
Today, security researcher MalwareHunterTeam found a Linux version of the REvil ransomware (aka Sodinokibi) that also appears to target ESXi servers.
Advanced Intel’s Vitali Kremez, who analyzed the new REvil Linux variant, told BleepingComputer it is an ELF64 executable and includes the same configuration options utilized by the more common Windows executable.
Kremez states that this is the first known time the Linux variant has been publicly available since it was released.