HQ/EMEAFind out how we can help your business
The new ransomware-as-a-service operation, MichaelKors, has encrypted many Linux and VMware ESXi systems since last April. Based on reports, the RaaS gives the ransomware binaries to its affiliates and an admin panel that allows them to target Linux and ESXi systems exclusively.
The researchers explained that the affiliates linked to the RaaS group receive 80 to 85 percent of the ransom payments after a successful operation. The ransomware-as-a-service program provides a Rust-based payload that the actors could customise per target. In addition, the actors could change the extension used for the encrypted files and the list of services and processes wiped by the malware.
The MichaelKors RaaS could also provide an admin panel to its affiliates to improve their cybercriminal activities’ efficiency.
Initial investigations revealed that the MichaelKors RaaS gives its affiliates an admin panel to control and manage their attacks precisely. The panel has different sections, such as Targets, Blogs, Stuffers, Payments, and News and FAQs.
The Targets section provides data about the targeted organisations, the demanded size, and specific customisations for every target. The Blogs section allows the actors to generate a blog post about the targeted company. The Stuffers section of the admin panel enables the affiliates to develop accounts for new members of their team that could provide separate login credentials and access permissions on the portal.
The Payment section displays the balance amount earned by the RaaS affiliates, recent transactions, and fees in joining the program. Lastly, the admin panel provides a section dedicated to News and FAQs, which provides updates related to the ransomware partnership.
The typical attack tactics MichaelKors used include phishing emails with malicious links embedded in them.
The constant increase of threats against ESXi is becoming a significant concern for the cybersecurity landscape. The current RaaS operation of MichaelKors further aids novice attackers in executing their attacks.
ESXI admins should avoid direct access to the ESXi hosts or use hardened jump servers with enabled MFA to restrict access and mitigate the risks of such attacks.
