Cybereason • 1w
Rhysida, Interlock, and The Gentlemen: Modular Supply Chain Targeting VMware ESXi
Rhysida and Interlock ransomware operations have shifted to a modular supply chain model, leveraging Initial Access Brokers (IABs) and specialized crypter services to target VMware ESXi hypervisors. By employing the "GentleKiller" framework—an EDR-terminating toolset targeting over 400 security processes across 48 products—affiliates (including Storm-2697) disable guest-level defenses before deploying Go-based, self-propagating encryptors. This strategy enables the mass encryption of multiple virtual machines simultaneously at the virtualization layer, utilizing per-file ephemeral key encryption to maximize operational paralysis and extortion leverage.
Links:Cybereason, S2w, Hexnode, microsoft.com, Trendmicro, gbhackers.com, gurucul.com, helpnetsecurity.com, Welivesecurity, bleepingcomputer.com, feeds.feedburner.com, Securityonline, Hhs, Broadcom, Shieldworkz, Eset, Secarma, Kaspersky Securelist, Krebs on Security, Group-ib, Fortiguard, Industrialcyber, Cybersecurityventures, Darkreading, Blackkite, 5234018, Prnewswire, Securitybrief, Europarl, Crowdstrike, Cybersecurity-insiders, Securityboulevard, Thebullvine, Bankersadda, Health-isac, Wasacon, Socradar, Dexpose, Vayuaerospace, Labs, Cypro, Me-en, Kaspersky, Thesmallbusinesscybersecurityguy, Connect, Globenewswire, Sorintsec, Securityaffairs, Sosransomware, Research, Scworld, Chintangurjar, Eleconomista, Democrata, Malpedia, Shakthiiacademy, Indragroup, News4Hackers, Galaxywarden, Darknetsearch •