Payload

According to 0x3oBAD, this is a 64-bit Linux ELF ransomware binary targeting VMware ESXi hypervisor environments. The sample combines a robust cryptographic scheme Curve25519 ECDHand ChaCha20 with ESXi-specific VM enumeration via the vmInventory.xml inventory file, graceful shutdown of running VMs before encryption, and a multi-threaded file encryption pipeline scaled to available CPU cores. The ransom note is delivered inside ESXi’s own web UI welcome.txt, replacing the host management interface greeting.

Family metadata imported from Malpedia (Fraunhofer FKIE).