FILTERING BY: CLEAR FILTER

Rhysida, Interlock, and The Gentlemen: Modular Supply Chain Targeting VMware ESXi

Rhysida and Interlock ransomware operations have shifted to a modular supply chain model, leveraging Initial Access Brokers (IABs) and specialized crypter services to target VMware ESXi hypervisors. By employing the "GentleKiller" framework—an EDR-terminating toolset targeting over 400 security processes across 48 products—affiliates (including Storm-2697) disable guest-level defenses before deploying Go-based, self-propagating encryptors. This strategy enables the mass encryption of multiple virtual machines simultaneously at the virtualization layer, utilizing per-file ephemeral key encryption to maximize operational paralysis and extortion leverage.


LINK COPIED TO CLIPBOARD