The Conti ransomware strain aimed at VMware’s ESXi hypervisor seems to be designed to be run directly by an operator, say researchers at Trellix.

By comparison, Windows versions of the malware run independently, the researchers said in a report issued this week. This conclusion is part of an analysis of a sample of the ESXi variant of the ransomware, which Trellix got hold of earlier this month.

The existence of an ESXi version of Conti isn’t new, but the sample Trellix acquired is the first it has seen in the wild.

As part of the analysis, the researchers went back to last month’s trove of leaked Conti chat messages to find out the history of the variant. The capture of a sample of this variant, plus an analysis of the leaked chats, reinforces the conclusion of researchers that Conti developers continue to operate normally, with the group adding new victims to their blog on a regular basis, Trellix says.

The first mention of a Conti locker for Linux in the leaked chat messages dates to the beginning of May, 2021, the Trellix report says. Around six weeks later, in mid-June 2021, one developer messaged another that the Linux build of the locker wasn’t ready yet. Perhaps, this person suggested, it should be tested it on a real case — but not a large company. In reply a developer said a large casino hack was almost finalized and suggested that could be the target.

Based on this, Trellix believes an unnamed casino was hit with this strain in the summer of 2021.

The messages show a fix was still required for the Linux variant until the beginning of February, with developers adjusting it for various ESXi versions, including the latest version 7.0 and higher.

The Conti Linux variant decryptor — essential because that’s what victims buy — had some issues too. In July and August, 2021 a developer reported the provided decryptor did not remove the ransomware extension from the victim’s files. A gang member said the victim needed to manually change the extension of the encrypted files. However, because a large volume of files had to be processed, the developer was asked to rebuild the decryptor so that it automatically removes the extension from the decrypted files.

Despite some problems, Trellix says the ESXi variant began being actively distributed in November, 2021. By examining the Conti leaks, researchers think victims have included law firms, the automotive sector, logistic companies, retailers and financial services.

The chat messages suggest for one victim Conti set an initial ransom at US$20 million, but settled at US$1 million, mainly because something went wrong with the Linux variant lock and instead of 800 ESXi servers they managed to encrypt only 260 servers.

Furthermore, the blog says, it seems that the victim did not want Conti’s decryptor, and Conti suspected they somehow managed to recover and restore their systems.

“Targeting ESXi Hypervisors and its virtual machines is of special interest for criminals because the impact on the organizations they attack is huge,” said Trellix researchers. “Nowadays it is a common theme in the ransomware landscape to develop new binaries specifically to encrypt virtual machines and their management environments.”