Part 1/5:
Dissecting the ESXi Ransomware: A Deep Dive
The ESXi ransomware, known as "esxi_args," has been causing havoc, encrypting the virtual machines (VMs) of over 500 hosts across France, Germany, the UK, and the US. In this deep dive, we'll explore the inner workings of this malware and uncover its encryption mechanisms.
Modifying the Configuration File
The malware begins by editing the configuration file, changing the ".vmdk" file extension to ".vmdk.swap." This step likely aims to disable the VMs before encryption, ensuring they cannot be accessed or recovered.