{
	"id": "9c40ad7e-5109-439f-b2c0-384af0cb1e7c",
	"created_at": "2026-04-06T00:11:20.760208Z",
	"updated_at": "2026-04-10T13:13:01.376985Z",
	"deleted_at": null,
	"sha1_hash": "d6ee439570fbee5d55ed16977ebba86aab953f25",
	"title": "Linux version of HelloKitty ransomware targets VMware ESXi servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1994723,
	"plain_text": "Linux version of HelloKitty ransomware targets VMware ESXi servers\r\nBy Lawrence Abrams\r\nPublished: 2021-07-15 · Archived: 2026-04-05 18:29:40 UTC\r\nThe ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMware's\r\nESXi virtual machine platform for maximum damage.\r\nAs the enterprise increasingly moves to virtual machines for easier backup and resource management, ransomware gangs are\r\nevolving their tactics to create Linux encryptors that target these servers.\r\nVMware ESXi is one of the most popular enterprise virtual machine platforms. Over the past year, there has been an\r\nincreasing number of ransomware gangs releasing Linux encryptors targeting this platform.\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile ESXi is not strictly Linux as it uses its own customer kernel, it does share many similar characteristics, including the\r\nability to run ELF64 Linux executables.\r\nHelloKitty moves to ESXi\r\nYesterday, security researcher MalwareHunterTeam found numerous Linux ELF64 versions of the HelloKitty ransomware\r\ntargeting ESXi servers and the virtual machines running on them.\r\nIt has been known that HelloKitty utilizes a Linux encryptor, but this is the first sample that researchers have publicly\r\nspotted.\r\nMalwareHunterTeam shared samples of the ransomware with BleepingComputer, and you can clearly see strings referencing\r\nESXi and the ransomware's attempts to shut down running virtual machines.\r\nFirst try kill VM:%ld ID:%d %s\r\nesxcli vm process kill -t=soft -w=%d\r\nCheck kill VM:%ld ID:%d\r\nesxcli vm process kill -t=hard -w=%d\r\nUnable to find\r\nKilled VM:%ld ID:%d\r\nstill running VM:%ld ID:%d try force\r\nesxcli vm process kill -t=force -w=%d\r\nCheck VM:%ld ID: %d manual !!!\r\n.README_TO_RESTORE\r\nFind ESXi:%s\r\nesxcli vm process list\r\nWorld ID:\r\nProcess ID:\r\nRunning VM:%ld ID:%d %s\r\nTotal VM run on host: %ld\r\nFrom the debug messages, we can see that the ransomware uses ESXi's esxcli  command-line management tool to list the\r\nrunning virtual machines on the server and then shut them down.\r\nRansomware gangs targeting ESXi servers will shut down virtual machines before encrypting files to prevent the files from\r\nbeing locked and to avoid data corruption.\r\nWhen shutting down the virtual machines, the ransomware will first try a graceful shutdown using the 'soft' command:\r\nesxcli vm process kill -t=soft -w=%d\r\nIf there are still VMs running, it will try an immediate shutdown of virtual machines using the 'hard' command:\r\nesxcli vm process kill -t=hard -w=%d\r\nFinally, if virtual machines are still running, the malware will use the 'force' command to shut down any running VMs\r\nforcefully.\r\nesxcli vm process kill -t=force -w=%d\r\nAfter the virtual machines are shut down, the ransomware will begin encrypting .vmdk (virtual hard disk), .vmsd (metadata\r\nand snapshot information), and .vmsn (contains the active state of the VM) files.\r\nThis method is very efficient as it allows a ransomware gang to encrypt many virtual machines with a single command.\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/\r\nPage 3 of 5\n\nLast month, MalwareHunterTeam also found a Linux version of the REvil ransomware that targets ESXi servers and used\r\nthe esxcli command as part of the encryption process.\r\nEmsisoft CTO Fabian Wosar told BleepingComputer at the time that other ransomware operations, such as Babuk,\r\nRansomExx/Defray, Mespinoza, GoGoogle, and the now-defunct DarkSide, have also created Linux encryptors to target\r\nESXi virtual machines.\r\n\"The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi\r\nspecifically,\" said Wosar.\r\nA bit about HelloKitty\r\nHelloKity has been in operation since November 2020, when a victim first posted about the ransomware in our forums.\r\nSince then, the threat actors have not been particular actively compared to other human-operated ransomware operations.\r\nTheir most well-known attack has been against CD Projekt Red, where the threat actors encrypted devices and claim to have\r\nstolen source code for Cyberpunk 2077, Witcher 3, Gwent, and more.\r\nThe threat actors later claimed that someone had purchased the files stolen from CD Projekt Red.\r\nThis ransomware, or its variants, has been used under different names such as DeathRansom and Fivehands.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/"
	],
	"report_names": [
		"linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434280,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6ee439570fbee5d55ed16977ebba86aab953f25.pdf",
		"text": "https://archive.orkl.eu/d6ee439570fbee5d55ed16977ebba86aab953f25.txt",
		"img": "https://archive.orkl.eu/d6ee439570fbee5d55ed16977ebba86aab953f25.jpg"
	}
}