MichaelKors Ransomware-as-a-Service: A New Cyber Threat on the Rise (May 15, 2023)

Ref# AL2023_37 | Date: May 24th 2023


A newly unveiled digital menace known as MichaelKors Ransomware-as-a-Service. This insidious cyber threat has gained notoriety for its ability to empower malevolent actors with a simple and effective means to unleash devastating ransomware attacks.


The MichaelKors Ransomware-as-a-Service as of April 2023 has been reported as a malware encryption malware targeting Linux and VMware ESXi systems, it was noted an increase in interest by cybercriminals towards ESXi systems due to the absence of third-party agent support or antivirus software, VMware declared this support is not required, however, ESXi is a popularly utilized virtualization and management system making the hypervisor a tempting target for threat actors due to the software being run directly on a physical server, which can potentially grant the threat actor the ability to execute malicious ELF binaries and obtained unrestricted access over the servers resources.

The scale in which the attack campaign is being done reflects a technique called Hypervisor jackpotting which in this scenario would be the practice of distributing ransomware to VMware ESXi hypervisors, this strategy has been used by various ransomware organizations throughout the years, including Royal.

Additionally, a SentinelOne research published found that 10 separate ransomware families, including Conti and REvil, used Babuk source code that had been stolen in September 2021 to create lockers for VMware ESXi hypervisors.

ALPHV (BlackCat), Black Basta, Defray, ESXiArgs, LockBit, Nevada, Play, Rook, and Rorschach are noteworthy e-crime organizations that have modified their toolkit to target ESXi.

The lack of security solutions, insufficient network segmentation of ESXi interfaces, and [in-the-wild] vulnerabilities for ESXi, according to CrowdStrike, “are being recognized by more and more threat actors as a target rich environment.”

There are several other groups that have attacked virtual infrastructure than ransomware criminals. A Chinese nation-state group was implicated in using the innovative backdoors VIRTUALPITA and VIRTUALPIE in attacks on VMware ESXi servers in March 2023, according to Google-owned Mandiant.

According to CrowdStrike, attackers “will probably keep targeting VMware-based virtualization infrastructure.” This poses a severe problem as more businesses move their workloads and infrastructure to the cloud, all through VMWare Hypervisor environments. Play, Rook, Nevada, and Rorschach.


Cyber Security tips to protect against the MichaelKors Ransomware-as-a-Service malware:

  1. Keep Linux and VMware ESXi firmware up to date: Regularly updating the firmware can help patch existing vulnerabilities and protect against unknown ones.
  1. Make sure that neither HTTP nor SSH are being used to access VMware vCenter from the internet.
  1. Ensure to regularly backup ESXi datastore volumes, especially virtual machine disk images, and snapshots, and store them with an offsite storage provider. Make sure to back them up every day (or even more frequently, if possible).
  1. Avoid direct access to ESXi hosts and use the vSphere Client to administer ESXi hosts that are managed by a vCenter Server instead, if necessary, only a hardened jump server designed for administrative or privileged activities, outfitted with thorough auditing mechanisms, and with multi-factor authentication (MFA) enabled should have direct access to ESXi.
  1. Implement comprehensive security measures: Companies and organizations should implement a comprehensive security strategy that includes both technical and human elements, such as regular security awareness training for employees to help them recognize and avoid social engineering attacks.

PDF Download: MichaelKors RaaS: A New Cyber Threat on the Rise.pdf