The REvil ransomware operation is now using a Linux encryptor that targets and encrypts Vmware ESXi virtual machines. By targeting virtual machines this way, REvil can encrypt many servers at once with a single command.

With the enterprise moving to virtual machines for easier backups, device management, and efficient use of resources, ransomware gangs increasingly create their own tools to mass encrypt storage used by VMs.

In May, Advanced Intel's Yelisey Boguslavskiy shared a forum post from the REvil operation where they confirmed that they had released a Linux version of their encryptor that could also work on NAS devices.