{ "id": "d7567fdd-bdb7-4bd4-80b1-b0d78aa02ed5", "created_at": "2026-04-06T00:18:30.299503Z", "updated_at": "2026-04-10T03:22:00.965428Z", "deleted_at": null, "sha1_hash": "9b0f20776611684c60585477c91b51abe4ac5412", "title": "REvil ransomware's new Linux encryptor targets ESXi virtual machines", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2133196, "plain_text": "REvil ransomware's new Linux encryptor targets ESXi virtual machines\r\nBy Lawrence Abrams\r\nPublished: 2021-06-28 · Archived: 2026-04-02 12:30:32 UTC\r\nThe REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines.\r\nWith the enterprise moving to virtual machines for easier backups, device management, and efficient use of resources,\r\nransomware gangs increasingly create their own tools to mass encrypt storage used by VMs.\r\nIn May, Advanced Intel's Yelisey Boguslavskiy shared a forum post from the REvil operation where they confirmed that\r\nthey had released a Linux version of their encryptor that could also work on NAS devices.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines/\r\nPage 1 of 4\n\nhttps://www.bleepingcomputer.com/news/security/revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n#REvil just directly confirmed that they had added an operating Linux version portable for NAS as well.\r\npic.twitter.com/Fc6p2H62vf\r\n— Yelisey Boguslavskiy (@y_advintel) May 9, 2021\r\nToday, security researcher MalwareHunterTeam found a Linux version of the REvil ransomware (aka Sodinokibi) that also\r\nappears to target ESXi servers.\r\nAdvanced Intel's Vitali Kremez, who analyzed the new REvil Linux variant, told BleepingComputer it is an ELF64\r\nexecutable and includes the same configuration options utilized by the more common Windows executable.\r\nKremez states that this is the first known time the Linux variant has been publicly available since it was released.\r\nWhen executed on a server, a threat actor can specify the path to encrypt and enable a silent mode, as shown by the usage\r\ninstructions below.\r\nUsage example: elf.exe --path /vmfs/ --threads 5\r\n without --path encrypts current dir\r\n--silent (-s) use for not stoping VMs mode\r\n!!!BY DEFAULT THIS SOFTWARE USES 50 THREADS!!!\r\nWhen executed on ESXi servers, it will run the esxcli command line tool to list all running ESXi virtual machines and\r\nterminate them.\r\nesxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F \"\"*,\"*\" '{system(\"esxcli vm\r\nThis command is used to close the virtual machine disk (VMDK) files stored in the /vmfs/ folder so that the REvil\r\nransomware malware can encrypt the files without them being locked by ESXi.\r\nIf a virtual machine is not correctly closed before encrypting its file, it could lead to data corruption, as explained\r\nby Emsisoft CTO Fabian Wosar.\r\nBy targeting virtual machines this way, REvil can encrypt many servers at once with a single command.\r\nWosar told BleepingComputer that other ransomware operations, such as Babuk, RansomExx/Defray, Mespinoza,\r\nGoGoogle, DarkSide, and Hellokitty have also created Linux encryptors to target ESXi virtual machines.\r\n\"The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi\r\nspecifically,\" said Wosar.\r\nFile hashes associated with the REvil Linux encryptor have been collected by security researcher Jaime Blasco and shared\r\non Alienvault's Open Threat Exchange.\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines/\r\nhttps://www.bleepingcomputer.com/news/security/revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines/" ], "report_names": [ "revil-ransomwares-new-linux-encryptor-targets-esxi-virtual-machines" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434710, "ts_updated_at": 1775791320, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b0f20776611684c60585477c91b51abe4ac5412.pdf", "text": "https://archive.orkl.eu/9b0f20776611684c60585477c91b51abe4ac5412.txt", "img": "https://archive.orkl.eu/9b0f20776611684c60585477c91b51abe4ac5412.jpg" } }