BeastWasHere
Linux ELF ransomware targeting VMware ESXi hypervisor environments. Encrypts .vmdk, .vmem, .vmsd, .vmsn, .vmss, .vmxf files with ChaCha20 password. Vim-cmd gets a list of VMs with vmsvc/getallvms, shuts them down and encrypts them. BEASTWASHERE file signature. Daemon mode, partial encryption, external ransom note support.
Threat Profile
Type
Ransomware
Programming LanguageC++
C2 Protocolcustom
First Seen2024
Targets
VMware ESXi Hypervisorlar
Purpose / Capabilities
- ESXi VM Encryption
No C2 servers have been identified for this family yet.
Research Reports (1)
BeastWasHere ESXi Ransomware 66f86812 -- ELF-32bit-Linux ChaCha20-encryption vim-cmd-vmsvc-getallvms VMDK-VMEM-VMXF BEASTWASHERE-marker beast-log default-key daemon-mode partial-encryption | Kritik
BeastWasHere ESXi Ransomware 66f86812 ELF32 89KB. vim-cmd vmsvc/getallvms ile ESXi VM otomasyonu. .vmdk/.vmem/.vmsd/.vmsn/.vmss/.vmxf sifreleme. BEASTWASHERE imzasi. ChaCha20. beast.log. Daemon modu.
Read Report →