{
	"id": "c2597374-ab40-436c-8dac-8ff6e4fd1f7a",
	"created_at": "2026-04-06T00:14:19.475665Z",
	"updated_at": "2026-04-10T03:21:36.193789Z",
	"deleted_at": null,
	"sha1_hash": "f1862b75469207c502a8ec36628873bcd2531da6",
	"title": "Linux version of Qilin ransomware focuses on VMware ESXi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4383238,
	"plain_text": "Linux version of Qilin ransomware focuses on VMware ESXi\r\nBy Lawrence Abrams\r\nPublished: 2023-12-03 · Archived: 2026-04-05 15:56:34 UTC\r\nA sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced\r\nand customizable Linux encryptors seen to date.\r\nThe enterprise is increasingly moving to virtual machines to host their servers, as they allow for better usage of available\r\nCPU, memory, and storage resources.\r\nDue to this adoption, almost all ransomware gangs have created dedicated VMware ESXi encryptors to target these servers.\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nWhile many ransomware operations utilize the leaked Babuk source code to create their encryptors, a few, such as Qilin,\r\ncreate their own encryptors to target Linux servers.\r\nQilin targets VMware ESXi\r\nLast month, security researcher MalwareHunterTeam found a Linux ELF64 encryptor for the Qilin ransomware gang and\r\nshared it with BleepingComputer to analyze.\r\nWhile the encryptor can be used on Linux, FreeBSD, and VMware ESXi servers, it heavily focuses on encrypting virtual\r\nmachines and deleting their snapshots.\r\nQilin's encryptor is built with an embedded configuration specifying the extension for encrypted files, the processes to\r\nterminate, the files to encrypt or exclude, and the folders to encrypt or exclude.\r\nHowever, it also includes numerous command-line arguments allowing extensive customization of these configuration\r\noptions and how files are encrypted on a server.\r\nThese command line arguments include options to enable a debug mode, perform a dry run without encrypting any files, or\r\ncustomize how virtual machines and their snapshots are encrypted.\r\nQilin Linux encryptor\r\nSource: BleepingComputer\r\nThe full list of command line options are listed below:\r\nOPTIONS:\r\n-d,--debug Enable debug mode (logging level set to DEBUG, disables backgrounding)\r\n --dry-run Perform scan for files to be processed, do not modify them\r\n-h,--help This help\r\n-l,--log-level \u003cnumber\u003e Set logging level. Values are from 0 for FATAL up to 5 for DEBUG\r\n --no-df Ignore configured white-/black- lists of directories\r\n --no-ef Ignore configured white-/black- lists of extensions\r\n --no-ff Ignore configured white-/black- lists of files\r\n --no-proc-kill Disables process kill\r\n-R,--no-rename Disables rename of completed files\r\n --no-snap-rm Disables snapshot deletion\r\n --no-vm-kill Disables VM kill\r\n-p,--path \u003cstring\u003e Specifies top-level directory for files search\r\n --password \u003cstring\u003e Password for startup\r\n-r,--rename Enables rename of completed files (default)\r\n-t,--timer \u003cnumber\u003e Enabled timed delay before encryption (seconds)\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/\r\nPage 3 of 6\n\n-w,--whitelist Use whitelists for inclusion instead of blacklists for exclusion (later is default behavior)\r\n-y,--yes Assume answer 'yes' on all questions (script mode)\r\nIn the sample analyzed by BleepingComputer.com, the encryptor is configured by default with the following exclusions and\r\ntargeting criteria:\r\nProcesses to not terminate:\r\n\"kvm\", \"qemu\", \"xen\"\r\nDirectories to exclude from encryption:\r\n\"/boot/\", \"/proc/\", \"/sys/\", \"/run/\", \"/dev/\", \"/lib/\", \"/etc/\", \"/bin/\", \"/mbr/\", \"/lib64/\", \"/vmware/lifecycle/\", \"/vdt\r\nFiles to exclude from encryption:\r\n\"initrd\", \"vmlinuz\", \"basemisc.tgz\", \"boot.cfg\", \"bootpart.gz\", \"features.gz\", \"imgdb.tgz\", \"jumpstrt.gz\", \"onetime.tgz\",\r\nFile extensions to exclude from encryption:\r\n\"v00\", \"v01\", \"v02\", \"v03\", \"v04\", \"v05\", \"v06\", \"v07\", \"v08\", \"v09\", \"b00\", \"b01\", \"b02\", \"b03\", \"b04\", \"b05\", \"b06\", \"b\r\nDirectories to target for encryption:\r\n\"/home\", \"/usr/home\", \"/tmp\", \"/var/www\", \"/usr/local/www\", \"/mnt\", \"/media\", \"/srv\", \"/data\", \"/backup\", \"/var/lib/mysql\r\nFiles to target for encryption:\r\n\"3ds\", \"3g2\", \"3gp\", \"7z\", \"aac\", \"abw\", \"ac3\", \"accdb\", \"ai\", \"aif\", \"aiff\", \"amr\", \"apk\", \"app\", \"asf\", \"asx\", \"atom\",\r\nConfiguring a list of virtual machines that should not be encrypted is also possible.\r\nWhen executing the encryptor, a threat actor must specify the starting directory for encryption and a specific password tied\r\nto the encryptor.\r\nWhen executed, the ransomware will determine if it is running in Linux, FreeBSD, or VMware ESXi server.\r\nIf it detects VMware ESXi, it will run the following esxcli and esxcfg-advcfg commands, which we have not seen in other\r\nESXi encryptors in the past.\r\nfor I in $(esxcli storage filesystem list |grep 'VMFS-5' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/\r\nfor I in $(esxcli storage filesystem list |grep 'VMFS-5' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/e\r\nfor I in $(esxcli storage filesystem list |grep 'VMFS-6' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/e\r\nfor I in $(esxcli storage filesystem list |grep 'VMFS-6' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/e\r\nesxcfg-advcfg -s 32768 /BufferCache/MaxCapacity\r\nesxcfg-advcfg -s 20000 /BufferCache/FlushInterval\r\nVMware expert Melissa Palmer told BleepingComputer that these commands were likely copied from VMware support\r\nbulletins to resolve a known VMware memory heap exhaustion bug and increase performance when executing ESXi\r\ncommands on the server.\r\nBefore encrypting any detected virtual machines, the ransomware will first terminate all VMs and delete their snapshots\r\nusing the following commands:\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/\r\nPage 4 of 6\n\nesxcli vm process list\r\nvim-cmd vmsvc/getallvms\r\nesxcli vm process kill -t force -w %llu\r\nvim-cmd vmsvc/snapshot.removeall %llu \u003e /dev/null 2\u003e\u00261\r\nAll targeted files will then be encrypted and have the configured extension appended to the file name. \r\nIn each folder, a ransom note named [extension]_RECOVER.txt will be created that contains links to the ransomware gang's\r\nTor negotiation site and the login credentials required to access the victim's chat page.\r\nQilin ransom note\r\nSource: BleepingComputer\r\nBleepingComputer has seen ransom demands ranging from $25,000 to millions of dollars.\r\nThe Qilin ransomware operation\r\nThe Qilin ransomware operation was initially launched as \"Agenda\" in August 2022. However, by September, it had\r\nrebranded under the name Qilin, which it continues to operate as to this day.\r\nLike other enterprise-targeting ransomware operations, Qilin will breach a company's networks and steal data as they spread\r\nlaterally to other systems.\r\nWhen done collecting data and gaining server administrator credentials, the threat actors deploy the ransomware to encrypt\r\nall devices on the network.\r\nThe stolen data and the encrypted files are then used as leverage in double-extortion attacks to coerce a company into paying\r\na ransom demand.\r\nSince its launch, the ransomware operation has had a steady stream of victims but has seen increased activity towards the\r\nend of 2023.\r\nA recent attack by Qilin was on the auto-parts giant Yanfeng.\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/"
	],
	"report_names": [
		"linux-version-of-qilin-ransomware-focuses-on-vmware-esxi"
	],
	"threat_actors": [],
	"ts_created_at": 1775434459,
	"ts_updated_at": 1775791296,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1862b75469207c502a8ec36628873bcd2531da6.pdf",
		"text": "https://archive.orkl.eu/f1862b75469207c502a8ec36628873bcd2531da6.txt",
		"img": "https://archive.orkl.eu/f1862b75469207c502a8ec36628873bcd2531da6.jpg"
	}
}