Conti ESXi ransomware strain could be run directly by an attacker, says Trellix

Share post:

The Conti ransomware strain aimed at VMware’s ESXi hypervisor seems to be designed to be run directly by an operator, say researchers at Trellix. By comparison, Windows versions of the malware run independently, the researchers said in a report issued this week. This conclusion is part of an analysis of a sample of the ESXi variant of the ransomware, which Trellix got hold of earlier this month. The existence of an ESXi version of Conti isn’t new, but the sample Trellix acquired is the first it has seen in the wild. As part of the analysis, the researchers went back to last month’s trove of leaked Conti chat messages to find out the history of the variant. The capture of a sample of this variant, plus an analysis of the leaked chats, reinforces the conclusion of researchers that Conti developers continue to operate normally, with the group adding new victims to their blog on a regular basis, Trellix says. The first mention of a Conti locker for Linux in the leaked chat messages dates to the beginning of May, 2021, the Trellix report says. Around six weeks later, in mid-June 2021, one developer messaged another that the Linux build of the locker wasn’t ready yet. Perhaps, this person suggested, it should be tested it on a real case — but not a large company. In reply a developer said a large casino hack was almost finalized and suggested that could be the target. Based on this, Trellix believes an unnamed casino was hit with this strain in the summer of 2021. The messages show a fix was still required for the Linux variant until the beginning of February, with developers adjusting it for various ESXi versions, including the latest version 7.0 and higher. The Conti Linux variant decryptor — essential because that’s what victims buy — had some issues too. In July and August, 2021 a developer reported the provided decryptor did not remove the ransomware extension from the victim’s files. A gang member said the victim needed to manually change the extension of the encrypted files. However, because a large volume of files had to be processed, the developer was asked to rebuild the decryptor so that it automatically removes the extension from the decrypted files. Despite some problems, Trellix says the ESXi variant began being actively distributed in November, 2021. By examining the Conti leaks, researchers think victims have included law firms, the automotive sector, logistic companies, retailers and financial services. The chat messages suggest for one victim Conti set an initial ransom at US$20 million, but settled at US$1 million, mainly because something went wrong with the Linux variant lock and instead of 800 ESXi servers they managed to encrypt only 260 servers. Furthermore, the blog says, it seems that the victim did not want Conti’s decryptor, and Conti suspected they somehow managed to recover and restore their systems. “Targeting ESXi Hypervisors and its virtual machines is of special interest for criminals because the impact on the organizations they attack is huge,” said Trellix researchers. “Nowadays it is a common theme in the ransomware landscape to develop new binaries specifically to encrypt virtual machines and their management environments.” The post Conti ESXi ransomware strain could be run directly by an attacker, says Trellix first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, Dec. 4, 2023 – A warning to water treatment utilities, a boot vulnerability could affect millions of PCs, and more.

This episode  reports on a campaign against critical infrastructure using PLCs, a vulnerability in PCs

Cyber Security Today, Week in Review for Friday, December 1, 2023

This episode features a discussion on ransomware, the latest explanation from Okta of a support hack and a survey of infosec pros whose firms w

Cyber Security Today, Dec. 1, 2023 podcast – More on compromises

This episode reports on the sanctioning of the Sinbad crypto mixe

All Okta customer support users had their email addresses copied

Identity and access provider Okta now says the threat actor who accessed its customer help desk system last month got the names and email addresses of all contacts of organizations that use its support system. Originally, the company said that, after an investigation, it determined only one per cent of the contacts from its 18,000

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways