A Linux variant of Black Basta ransomware has been observed targeting VMware’s ESXi virtual machine (VMs) platforms.

The Black Basta ransomware binary searches for the /vmfs/volumes where the VMs are stored and then uses the ChaCha2 algorithm to encrypt the files. Each encryption folder will append the .basta extension and contain ransom notes named readme.txt. The notes include a link to a chat support panel as well as a unique ID that victims can use to communicate with the threat actors.

Download the report