{
	"id": "d9be4673-1c94-451c-b6d2-b5f00b30f4bb",
	"created_at": "2026-04-06T00:08:22.733234Z",
	"updated_at": "2026-04-10T03:21:42.882103Z",
	"deleted_at": null,
	"sha1_hash": "b28578aa7dac500d8071975ba10540c2a0302791",
	"title": "Linux Variant of REvil Ransomware Targets VMware’s ESXi, NAS Devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73831,
	"plain_text": "Linux Variant of REvil Ransomware Targets VMware’s ESXi, NAS\r\nDevices\r\nBy Tom Spring\r\nPublished: 2021-07-01 · Archived: 2026-04-05 13:55:27 UTC\r\nCriminals behind the potent REvil ransomware have ported the malware to Linux for targeted attacks.\r\nUPDATE\r\nCybercriminals behind a string of high-profile ransomware attacks, including one extorting $11 million from JBS\r\nFoods last month, have ported their malware code to the Linux operating system. The unusual move is an attempt\r\nto target VMware’s ESXi virtual machine management software and network attached storage (NAS) devices that\r\nrun on the Linux operating system (OS).\r\nResearchers at AT\u0026T Cybersecurity said they have confirmed four Linux samples of the REvil malware in the\r\nwild.\r\nOfer Caspi, security researcher at Alien Labs, a division of AT\u0026T Cybersecurity, wrote in a Thursday blog that\r\nafter receiving a tip from MalwareHuntingTeam it identified the four samples.\r\n“REvil ransomware authors have expanded their arsenal to include Linux ransomware, which allows them to\r\ntarget ESXi and NAS devices,” Caspi wrote.\r\nIn a nod to research by AdvIntel in early May 2021, which reported REvil’s intent to port its Windows-based\r\nransomware to Linux, Caspi confirmed the Linux variant was spotted in May “affecting *nix systems and ESXi.”\r\n“The samples are ELF-64 executables, with similarities to the Windows REvil executable, being the most\r\nnoticeable among the configuration options,” he wrote.\r\nExecutable and Linkable Format (or ELF-64) is a standard file format for executable files within Linux and\r\nUNIX-like operating systems, according to a technical breakdown.\r\nLinux Ransomware: Rare, but Real  \r\nWhat makes Alien Labs’ discovery of the Linux REvil variant unique is that the Linux, Unix and other Unix-like\r\ncomputer operating systems, are not typically targeted by adversaries. Microsoft Windows computer systems\r\ngenerally deliver the biggest return for an attacker’s effort because of the ubiquity of the OS. Furthermore,\r\ninstances of Linux are generally well-protected against vulnerabilities, thanks to a tightknit user-base delivering\r\nfast security updates.\r\nhttps://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/\r\nPage 1 of 3\n\nPast examples of Linux malware over the past several years have included Tycoon, Lilocked (or Lilu) and\r\nQNAPCrypt. In November, Kaspersky identified a Linux sample of RansomEXX. Researchers noted that\r\ncriminals based its Linux variant on “WinAPI (functions specific to Windows OS)” and used a similar mechanism\r\nto manipulate targeted Linux MBED TLS libraries.\r\nMBED TLS is an implementation of the TLS and SSL protocols distributed under the Apache License.\r\n“The Apache license itself has nothing to do with web servers, other than it being one of the more widely used\r\npieces of software that uses the license, among hundreds of thousands of other open source projects,” said\r\nKenneth White, director of the Open Crypto Audit Project.\r\nIn May, researchers noted criminals behind the DarkSide ransomware also released a Linux variant. Attackers also\r\ntargeted, “virtual machine-related files on VMware ESXI servers.” Researchers said the malware “parses its\r\nembedded configuration, kills virtual machines, encrypts files on the infected machine, collects system\r\ninformation, and sends it to the remote server.”\r\nTargeted Attacks: Linux in the Crosshairs\r\nVMware ESXi, formerly known as ESX, is a bare metal hypervisor that installs easily on to your server and\r\npartitions it into multiple virtual machines (VM).\r\n“The hypervisor ESXi allows multiple virtual machines to share the same hard drive storage. However, this also\r\nenables attackers to encrypt the centralized virtual hard drives used to store data from across VMs, potentially\r\ncausing disruptions to companies,” Alien Labs reported. “[I]n addition to targeting ESXi, REvil is also targeting\r\nNAS devices as another storage platform with the potential to highly impact the affected companies.”\r\nResearchers said the Linux version of REvil share similar attributes to the Windows OS variant. “The\r\n[executable’s] configuration file format is very similar to the one observed for REvil Windows samples, but with\r\nfewer fields,” Caspi wrote.\r\nSimilarities also include:\r\nBase64-encoded value containing the attacker’s public key used to encrypt files.\r\nRansomware-as-a-service (RaaS) affiliate identifier (7987) is shared between both operating systems.\r\nThe ransom note’s body content is encoded in base64.\r\nThe encrypted extensions, which appears to be five random character, both are: .rhkrc, .qoxaq, .naixq, and .\r\n7rspj.\r\n“The threat actors behind REvil RaaS have rapidly developed a Linux version to compete against the recently\r\nreleased Linux version of DarkSide. It is hard to clarify if these two RaaS are competing against each other or\r\ncollaborating team members, as stated by other security researchers,” researchers wrote.\r\n(This article was updated 7/6 at 12:40 p.m. ET to reflect a clarification on the nature of the Apache software\r\nlicense in the context of MBED TLS.)\r\nhttps://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/\r\nPage 2 of 3\n\nCheck out our free upcoming live and on-demand webinar events – unique, dynamic discussions with\r\ncybersecurity experts and the Threatpost community.\r\nSource: https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/\r\nhttps://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/"
	],
	"report_names": [
		"167511"
	],
	"threat_actors": [],
	"ts_created_at": 1775434102,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b28578aa7dac500d8071975ba10540c2a0302791.pdf",
		"text": "https://archive.orkl.eu/b28578aa7dac500d8071975ba10540c2a0302791.txt",
		"img": "https://archive.orkl.eu/b28578aa7dac500d8071975ba10540c2a0302791.jpg"
	}
}