DarkBit Ransomware Targets VMware ESXi Servers

Summary

A newly identified ransomware campaign by the DarkBit group has been observed targeting VMware ESXi environments with precision attacks. The malware specifically encrypts virtual machine disk files (VMDK, VMX, NVRAM, etc.) across VMFS datastores, disrupting enterprise virtual infrastructures.

Technical Details

•     Malware Sample: esxi.darkbit (SHA256: 0bb1d29ede51d86373e31485d0e24701558e50856722357372518edfb98265a1)
•     Execution: Requires CLI parameters (./esxi <path to vmfs> <seconds to sleep> <list of VMs>)
•     Encryption: AES-128-CBC with file-specific keys, wrapped using RSA-2048 public key
•     Process: Stops VMs via esxcli, then forks multiple encryption processes concurrently
•     File extensions targeted: .vmdk, .vmx, .nvram, among others
•     Encrypted files receive .DARKBIT extension

Impact & Recovery

•     Business-critical systems rendered inoperable during attacks.
•     Incident responders leveraged cryptographic flaws to brute-force AES keys and recover data without ransom payment.

Assessment

The DarkBit campaign highlights that while ransomware groups continue to develop specialized tooling against enterprise virtualization environments, poor cryptographic implementations remain exploitable. Organizations using VMware ESXi should ensure strong segmentation, monitor for suspicious esxcli usage, and maintain offline backups to mitigate ransomware impact.