Newly emergent MichaelKors ransomware-as-a-service operation has set its sights on VMware ESXi and Linux systems since last month, following similar targeting by the ALPHV/BlackCat, ESXiArgs, LockBit, Play, Rook, Black Basta, Defray, and Rorschach ransomware gangs, according to The Hacker News.
VMware ESXi Hypervisors have been increasingly attractive targets for ransomware operations due to the lack of antivirus software or third-party agent support, as well as their widespread usage, inadequate network segmentation, and numerous in-the-wild security flaws, a CrowdStrike report showed.
VMware did note that its knowledge base article regarding antivirus and third-party agent deployment on ESXi Hypervisors is outdated and would be updated soon. Organizations using VMware ESXi Hypervisors have been urged to restrict direct access to ESXi hosts, perform periodic ESXi datastore volume backups, activate two-factor authentication, and ensure timely security updates to prevent compromise amid the continued targeting of vulnerable instances.
"Adversaries will likely continue to target VMware-based virtualization infrastructure. This poses a major concern as more organizations continue transferring workloads and infrastructure into cloud environments all through VMware Hypervisor environments," said CrowdStrike.
BleepingComputer reports that Knight ransomware was observed by KELA threat analysts to have the third iteration of its source code posted for sale by the operation's representative, Cyclops, on RAMP forums.