The ransomware ecosystem is evolving at an alarming pace, and the latest findings from Check Point Research highlight a significant shift in how attackers are targeting enterprise infrastructure. The Gentlemen ransomware-as-a-service (RaaS) group has introduced a specialized ESXi locker, signaling a more focused and sophisticated approach to disrupting virtualized environments.
Initially gaining traction with Go-based encryptors targeting Windows, Linux, BSD, and NAS systems, the group has now moved toward a more refined strategy. Their newly developed C-based payload is specifically designed for VMware ESXi servers, enabling faster and more efficient attacks on critical enterprise systems.
This ESXi-focused locker is built for performance. It begins by shutting down virtual machines to release file locks, first attempting a controlled shutdown and escalating to forceful termination if systems remain active. This ensures that encryption can proceed smoothly without interference. To further enhance speed, the malware modifies storage behavior by increasing write buffer capacity and reducing flush intervals, effectively accelerating disk operations.
In addition, the ransomware manipulates virtual disk structures to synchronize writes across datastores, optimizing the encryption process. It employs a hybrid cryptographic model, combining XChaCha20 for file encryption with X25519 for key exchange, making recovery nearly impossible without the attacker’s decryption key.
Despite its aggressive nature, the malware is strategically designed to avoid critical system directories. This allows the infected system to remain operational enough to display ransom instructions, ensuring communication with victims is maintained. The ransomware also offers flexible encryption modes, allowing attackers to encrypt only a fraction of large files—just enough to render them unusable while significantly reducing execution time.
Beyond the encryption mechanism, Check Point Research observed that the group’s infrastructure has become far more advanced. Affiliates are using SystemBC proxy malware to establish covert SOCKS5 tunnels, enabling persistent access and control within compromised environments. This has resulted in a large-scale botnet of over 1,500 infected systems globally, particularly concentrated in enterprise-heavy regions like the United States, the United Kingdom, and Germany.
These attacks are no longer opportunistic. Instead, they represent coordinated, human-operated campaigns that involve deep infiltration before execution. The ransomware includes built-in lateral movement capabilities, allowing it to spread across networks using legitimate administrative tools once credentials are obtained, making detection increasingly difficult.
To further increase pressure on victims, the malware actively disables backup and recovery solutions, including Veeam and Windows Shadow Copies. By removing these recovery options, attackers significantly increase the likelihood of ransom payments.
According to Check Point Research, the addition of an ESXi-specific locker reflects a broader trend in ransomware evolution—targeting the core of enterprise infrastructure. As virtual environments continue to underpin modern business operations, securing them has become more critical than ever.
Recommended Cyber Technology News:
- Vodafone and Google Cloud Expand Partnership with AI and Cybersecurity Solutions
- GitLab Expands Amazon Bedrock Integration for DevSecOps
- NDPC, CIoD Partner to Boost Data Protection in Nigeria
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
