Ransomware targets VMware ESXi

Cybersecurity researchers observed the BlackByte ransomware group exploiting the recently patched security flaw CVE-2024-37085 in VMware ESXi hypervisors in recent attacks. The flaw CVE-2024-37085 (CVSS score of 6.8) is an authentication bypass vulnerability in VMware ESXi.

Recent investigations have revealed that the BlackByte ransomware group is using a victim’s existing remote access rather than tools like AnyDesk. The experts observed the threat actors using a new version of their encryptor that adds the “blackbytent_h” file extension to encrypted files, drops four vulnerable driver files, and uses victim Active Directory credentials to spread.

BlackByte group operates a ransomware-as-a-service (RaaS) and experts linked it to the notorious Conti ransomware gang. BlackByte is known for using vulnerable drivers to bypass security, deploying self-propagating ransomware with worm-like abilities, and leveraging legitimate system binaries and commercial tools in its attacks.