esxi - TrustStrike Labs

breach

2026-05-08

RansomHouse claims the Trellix breach and posts screenshots showing it reached internal VMware, Rubrik, and Dell EMC dashboards - far more than the 'small portion of source code' Trellix originally disclosed

Update on the Trellix breach we covered May 2: RansomHouse claimed the attack on its leak site Thursday and published screenshots that suggest the intrusion reached well beyond the source code repository Trellix originally acknowledged. Cybernews researchers reviewed the dumped images and identified internal dashboards for VMware vCenter, Rubrik backup, and Dell EMC storage - the systems that hold backups, credentials, and virtual machine images for the entire company. RansomHouse says the intrusion happened April 17 and resulted in data encryption. Trellix told BleepingComputer it's 'aware of claims of responsibility' and looking into them. RansomHouse currently lists 170+ victims on its Tor leak site.

trellix ransomhouse follow-up vmware-vcenter rubrik dell-emc extortion mario-encryptor mragent esxi cybernews-analysis scope-expansion

Check: If your organization runs Trellix endpoint, IPS, ePolicy Orchestrator, or email security, audit checksums of every Trellix update installed since April 17. Hunt for unusual outbound traffic from Trellix product hosts.
Affected: Trellix customers - 53,000+ enterprises and government agencies in 185 countries protecting 200M+ endpoints. Acute risk: organizations relying on Trellix for backup integrity (Rubrik exposed) or VMware management (vCenter exposed). Defense and federal customers face higher residual risk pending Trellix's full incident report.
Fix: Hold non-emergency Trellix product updates until Trellix releases a written incident report with concrete scope. Verify checksums for every Trellix agent updated since April 17 against Trellix's published values. Treat any Trellix-issued credentials, API tokens, or signing certificates from before April 17 as potentially compromised and request rotation. Demand a written incident report within 30 days.

threat

2026-04-28

Broken VECT 2.0 ransomware is silently destroying any file larger than 131 KB on Windows, Linux, and ESXi - paying the ransom recovers nothing

Researchers found a serious bug in VECT 2.0, a new ransomware family making the rounds: the encryption routine corrupts any file larger than about 131 KB instead of encrypting it reversibly. Files smaller than the threshold encrypt and decrypt normally; everything bigger gets permanently destroyed. Operators don't seem to know yet, so victims who pay get a working decryption tool that recovers small files and tells them the large ones are 'corrupted' - which they are, because VECT broke them on the way in. The bug affects Windows, Linux, and VMware ESXi variants. Any large file on a VECT 2.0-hit system is irrecoverable regardless of whether the ransom is paid.

vect-ransomware wiper encryption-bug windows linux esxi unrecoverable backup-importance

Check: Make sure every host that handles documents, databases, or virtual machine images has tested, off-network backups - because if VECT 2.0 hits, restore from backup is your only path.
Affected: Any Windows, Linux, or VMware ESXi system running unpatched RDP, SMB, or VPN exposure that VECT 2.0 operators are using as initial access. The 131 KB threshold catches almost everything important: Office documents, PDFs, databases, virtual machine disks, source code repos. Small config files survive, which makes the attack look partially recoverable until victims realize the scope.
Fix: Verify backups are off-network (immutable storage, air-gapped tape, S3 object lock) and test restore for at least one large file from each business-critical system. If hit by VECT 2.0, do not pay the ransom - large files cannot be recovered even if the operator delivers a working decryption tool. Restore from clean backup. Watch for VECT 2.0 indicators in EDR feeds; the bug may be patched in future versions.

threat

2026-04-22

Kyber ransomware experiments with post-quantum encryption across Windows and VMware ESXi

A new ransomware family called Kyber has been deployed in attacks combining a Rust-based Windows encryptor with a Linux ESXi variant on the same victim network, and its Windows build is one of the first in the wild to advertise post-quantum cryptography. Rapid7 analysed both variants during a March 2026 incident response and found the Windows build genuinely uses Kyber1024 (a NIST-selected post-quantum key-encapsulation algorithm) plus X25519 to wrap the AES-CTR keys that actually encrypt files, matching its ransom-note claims. The Linux ESXi variant makes the same post-quantum marketing claim but actually uses ChaCha8 with RSA-4096 - pure marketing theatre rather than real crypto defense. For victims the distinction does not matter: without the attacker's private key the files are unrecoverable regardless of algorithm. Windows-encrypted files get a '.#~~~' extension; Linux gets '.xhsyw'. The ESXi variant enumerates all VMs, encrypts datastore files, defaces management interfaces, adds crontab persistence, and terminates VMs. The Windows variant deletes shadow copies, disables boot repair, kills SQL/Exchange/backup services, clears event logs, wipes the Recycle Bin, and ships with an experimental Hyper-V shutdown feature. Only one victim appears on the Kyber leak site so far (a multi-billion-dollar American defence contractor and IT services provider), meaning most current victims are still in the extortion window and not publicly known.

kyber-ransomware post-quantum esxi hyper-v rust ransomware rapid7 double-extortion

Check: Hunt your Windows estate for files with a '.#~~~' extension, your ESXi hosts for files with a '.xhsyw' extension, and any Hyper-V and ESXi management surface for unexpected crontab entries or defaced login banners.
Affected: Any environment exposing Windows domain controllers or file servers alongside VMware ESXi infrastructure. ESXi variant targets datastore files, VM enumeration, and management interface defacement; Windows variant specifically targets Hyper-V in experimental mode. Organizations relying on shadow-copy-based recovery, SQL/Exchange snapshots, or on-disk backup services without immutable storage.
Fix: Enforce offline, immutable backups for every tier of your environment - Kyber explicitly destroys shadow copies, boot repair, and in-place backup services. Apply the ESXi hardening guidance (disable SSH when not in use, require MFA on vCenter, enable execInstalledOnly, patch to the latest ESXi build) to cut the affiliate's preferred initial-access paths. Alert on: crontab modifications on ESXi hosts, 'vim-cmd vmsvc/getallvms' followed by mass power-off, the '.#~~~' and '.xhsyw' file extensions on any write, and Windows event log clears. Given affiliate-level overlap with other ransomware operations, also review access paths through internet-facing VPN gateways and RDP.

threat

2026-04-21

The Gentlemen ransomware operation hiding 1,570+ unreported victims per Check Point C2 analysis - 5x larger than leak site suggests

Check Point researchers gained visibility into a SystemBC command-and-control server used by an affiliate of The Gentlemen ransomware-as-a-service operation and found over 1,570 compromised corporate networks that have not been publicly disclosed. The group's own data leak site only lists about 320 victims, meaning the real footprint is nearly 5x larger than public reporting suggests. The Gentlemen emerged in July 2025 and has become one of the most prolific RaaS operations. It uses a Go-based locker targeting Windows, Linux, NAS, and BSD systems, operates a classic double-extortion model, and abuses legitimate drivers plus custom tooling to bypass defenses. SystemBC is a SOCKS5 tunneling proxy that uses RC4-encrypted C2 communications and can download and execute additional malware in memory. Attack chain: initial access via internet-facing services or compromised credentials, followed by reconnaissance, Cobalt Strike deployment, SystemBC tunneling, lateral movement using Group Policy Objects for domain-wide compromise, then the encryptor. A notable TTP: during lateral movement, The Gentlemen pushes a PowerShell script that disables Windows Defender real-time monitoring, adds broad exclusions for staging shares and its own process, shuts down the firewall, re-enables SMB1, and loosens LSA anonymous access controls before deploying the ransomware binary on each reachable host. The ESXi variant shuts down virtual machines, adds persistence via crontab, and inhibits recovery. Victim geography spans US, UK, Germany, Australia, and Romania.

the-gentlemen ransomware raas systembc gpo-abuse defender-evasion esxi lateral-movement

Check: Audit your environment for SystemBC indicators and GPO abuse patterns. The Gentlemen's 1,570+ victim count means there's a meaningful chance you or your peers are already compromised without knowing it.
Affected: Any organization with internet-facing services (VPN gateways, RDP, remote admin portals) or weak credential hygiene is at risk of initial access. Environments where Windows Defender exclusions can be modified via GPO, where SMB1 can be re-enabled, or where LSA anonymous access controls can be loosened are at acute risk of the full attack chain. VMware ESXi environments are specifically targeted by a Linux variant.
Fix: Hunt for SystemBC: look for outbound SOCKS5 connections to non-corporate destinations, RC4-encrypted traffic patterns, and unexpected tunneling processes. Alert on any GPO modification that adds Windows Defender exclusions, disables real-time monitoring, re-enables SMB1, or loosens LSA anonymous access settings - these are near-certain indicators of ransomware staging. For ESXi, monitor for unauthorized crontab modifications and VM shutdown commands. Review privileged credentials used in GPO management - compromise of a single GPO admin account gives attackers domain-wide ransomware deployment capability. Confirm backups are offline and immutable; The Gentlemen's ESXi variant actively inhibits recovery.