AhnLab cybersecurity researchers: The malware is downloaded and executed from a WSF file within a compressed file, delivered via URL in phishing emails.
MalwareHunterTeam: HelloKitty gang targets VMware ESXi servers. The group shut down them before encrypting files to prevent them from being locked and to avoid data corruption
HelloKitty cybercrime gang developed a Linux version of the ransomware, that targeted the VMware ESXi servers at least since last early March. It has been discovered by the cybersecurity expert MalwareHunterTeam. In fact, the group shut down virtual machines before encrypting files to prevent them from being locked and to avoid data corruption. First of all, the malware tries a graceful shutdown using a “soft” command. However, if ther are still VMs running, it pass to a “hard” one. Finally, if they are still running, the malware will use the “force” command to shut down them forcefully. Once the operation would have success, it will start encrypting .vmdk, .vmsd and .vmsn files.