{
	"id": "0441a52c-0ac9-4424-a6e6-e153ba284c11",
	"created_at": "2026-04-06T00:10:50.544311Z",
	"updated_at": "2026-04-10T03:21:57.504627Z",
	"deleted_at": null,
	"sha1_hash": "f1dfcb0fb85bd1dfa680a2c241bfd84bfebdad9e",
	"title": "Linux version of BlackMatter ransomware targets VMware ESXi servers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2125259,
	"plain_text": "Linux version of BlackMatter ransomware targets VMware ESXi servers\r\nBy Lawrence Abrams\r\nPublished: 2021-08-05 · Archived: 2026-04-05 20:29:01 UTC\r\nThe BlackMatter gang has joined the ranks of ransomware operations to develop a Linux encryptor that targets VMware's\r\nESXi virtual machine platform.\r\nThe enterprise is increasingly moving to virtual machines for their servers for better resource management and disaster\r\nrecovery.\r\nWith VMware ESXi being the most popular virtual machine platform, almost every enterprise-targeting ransomware\r\noperation has begun to release encryptors that specifically target its virtual machines.\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nBlackMatter targets VMware ESXi\r\nYesterday, security researcher MalwareHunterTeam found a Linux ELF64 encryptor [VirusTotal] for the BlackMatter\r\nransomware gang that specifically targets VMware ESXi servers based on its functionality.\r\nBlackMatter is a relatively new ransomware operation that started last month and is believed to be a rebrand of DarkSide.\r\nAfter researchers found samples, it was determined that the encryption routines used by the ransomware were the same\r\ncustom and unique ones used by DarkSide.\r\nDarkSide shut down after attacking and shutting down Colonial Pipeline and then feeling the total pressure of international\r\nenforcement and the US government.\r\nFrom the sample BlackMatter's Linux encryptor shared with BleepingComputer, it is clear that it was designed solely to\r\ntarget VMWare ESXi servers.\r\nAdvanced Intel's Vitali Kremez reverse engineered the sample and told BleepingComputer that the threat actors created an\r\n'esxi_utils' library that is used to perform various operations on VMware ESXi servers\r\n/sbin/esxcli\r\nbool app::esxi_utils::get_domain_name(std::vector \u003e\u0026)\r\nbool app::esxi_utils::get_running_vms(std::vector \u003e\u0026)\r\nbool app::esxi_utils::get_process_list(std::vector \u003e\u0026)\r\nbool app::esxi_utils::get_os_version(std::vector \u003e\u0026)\r\nbool app::esxi_utils::get_storage_list(std::vector \u003e\u0026)\r\nstd::string app::esxi_utils::get_machine_uuid()\r\nbool app::esxi_utils::stop_firewall()\r\nbool app::esxi_utils::stop_vm(const string\u0026)\r\nKremez told us that each function would execute a different command using the esxcli command-line management tool,\r\nsuch as listing VMs, stopping the firewall, stopping a VM, and more.\r\nFor example, stop_firewall() function will execute the following command:\r\nesxcli network firewall set --enabled false\r\nWhile the stop_vm() will execute the following esxcli command:\r\nesxcli vm process kill --type=force --world-id [ID]\r\nAll ransomware that targets ESXi servers attempts to shut down virtual machines before encrypting the drives. This is done\r\nto prevent data from being corrupted while it is encrypted.\r\nOnce all the VMs are shut down, it will encrypt files that match specific file extensions based on the configuration included\r\nwith the ransomware.\r\nTargeting ESXi servers is very efficient when conducting ransomware attacks, as it allows the threat actors to encrypt\r\nnumerous servers at once with a single command.\r\nAs more businesses move to this type of platform for their servers, we will continue to see ransomware developers focus\r\nprimarily on Windows machines but also create a dedicated Linux encrypted targeting ESXi.\r\nEmsisoft CTO Fabian Wosar told BleepingComputer that other ransomware operations, such as REvil, HelloKitty,\r\nBabuk, RansomExx/Defray, Mespinoza, GoGoogle, have also created Linux encryptors for this purpose.\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/\r\nhttps://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/"
	],
	"report_names": [
		"linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434250,
	"ts_updated_at": 1775791317,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1dfcb0fb85bd1dfa680a2c241bfd84bfebdad9e.pdf",
		"text": "https://archive.orkl.eu/f1dfcb0fb85bd1dfa680a2c241bfd84bfebdad9e.txt",
		"img": "https://archive.orkl.eu/f1dfcb0fb85bd1dfa680a2c241bfd84bfebdad9e.jpg"
	}
}