The "Gentlemen" ransomware group has been observed deploying a highly specialized ELF binary designed specifically for VMware ESXi hypervisors. The sample exhibits intimate knowledge of the ESXi command-line ecosystem (esxcli, vim-cmd), employing aggressive strategies to terminate virtual machines (VMs) and manipulate storage buffers before encryption.
Our analysis of the decompiled C code reveals a sophisticated, multi-threaded locker utilizing ChaCha20 encryption, intermittent "speed" modes to corrupt large virtual disks rapidly, and specific anti-analysis guardrails designed to thwart automated sandboxes.
The Gatekeeper: Anti-Analysis Argument Checks
One of the first lines of defense this malware employs is a "password" check. Automated sandboxes often execute samples without arguments to observe behavior. "Gentlemen" anticipates this; if the correct password is not provided via the command line, the binary simply prints "bad password" and exits, revealing no malicious activity.
As seen in the entry function FUN_00401660, the malware explicitly checks argv[2] against a hardcoded string:
// Code Reference: FUN_00401660
iVar3 = strcmp((char *)param_2[2], "KhHULsJugc"); // Hardcoded password
if (iVar3 != 0) {
puts("bad password");
return 1;
}
This simple logic effectively prevents the malware from detonating in generic analysis environments that do not know the KhHULsJugc key.
Weaponizing the ESXi Environment
Once authenticated, the malware prepares the ESXi host for maximum impact. It doesn't just encrypt files; it aggressively frees up file handles by terminating running VMs and modifying buffer settings to ensure encrypted data is committed to disk as soon as possible.
Buffer Cache Manipulation
The malware modifies ESXi buffer cache settings to reduce cache size and increase flush frequency, ensuring that encrypted file operations are written to disk more quickly and persistently, reducing the amount of unencrypted data remaining in volatile memory buffers.:
system("esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity > /dev/null 2>&1");
system("esxcfg-advcfg -s 20000 /BufferCache/FlushInterval > /dev/null 2>&1");
The "Kill" Loop
To encrypt virtual disks (.vmdk), the files must not be locked by a running VM process. The malware utilizes a dual-method approach to shut down VMs:
- Soft Stop: It attempts to gracefully power off VMs using vim-cmd vmsvc/power.off.
- Hard Kill: It iterates through running processes using esxcli vm process list and terminates them if they persist.
// Code Reference: FUN_00401660
snprintf((char *)__s, 0x200, "esxcli vm process kill --type=force --world-id=%s > /dev/null 2>&1");
system((char *)__s);
Cryptographic Implementation: Speed Over Stealth
The malware utilizes the ChaCha20 stream cipher, a standard choice for modern ransomware due to its high performance on CPUs lacking hardware AES acceleration.
Identifying ChaCha20:
In function FUN_00404e20, we observe the initialization of the ChaCha20 state matrix using the standard "expand 32-byte k" constants:
// Code Reference: FUN_00404e20 - ChaCha20 Constants
*(undefined4 *)(param_1 + 0x10) = 0x61707865; // "apxe" (expa)
*(undefined4 *)((long)param_1 + 0x84) = 0x3320646e; // "nd 3" (3 dn)
*(undefined4 *)(param_1 + 0x11) = 0x79622d32; // "2-by" (yb-2)
*(undefined4 *)((long)param_1 + 0x8c) = 0x6b206574; // "te k" (k et)
Intermittent "Speed" Modes:
Encrypting terabytes of VM data takes time. To expedite the attack, "Gentlemen" implements intermittent encryption flags that encrypt only a percentage of the file. The logic in FUN_00401660 and FUN_00402720 calculates jump intervals based on the selected mode:
- --fast: Encrypts 9% of the file.
- --superfast: Encrypts 3% of the file.
- --ultrafast: Encrypts 1% of the file.
// Code Reference: FUN_00402720
if (DAT_006086f4 != 0) {
dVar12 = dVar12 * 0.01; // Ultrafast: 1%
} else if (DAT_006086f8 == 0) {
dVar12 = dVar12 * 0.09; // Fast: 9%
} else {
dVar12 = dVar12 * 0.03; // Superfast: 3%
}
This logic allows the threat actors to render a 10TB datastore unusable in minutes rather than hours.
Persistence Mechanisms
To ensure the encryption process completes even if the system is rebooted or the session is interrupted, "Gentlemen" installs aggressive persistence hooks.
In FUN_004024f0, the code copies the running executable to a hidden location and modifies system startup scripts:
- RC.Local Injection: It creates a script in /etc/rc.local.d to execute the payload 30 seconds after boot.
- Crontab Manipulation: It adds a @reboot entry to the root crontab.
// Code Reference: FUN_004024f0
snprintf(acStack_839 + 1, 0x800,
"mkdir -p /etc/rc.local.d 2>/dev/null; echo '#!/bin/sh' > '%s'; ...", ...);
snprintf(acStack_839 + 1, 0x800,
"echo '@reboot sleep 60 && %s %s' | crontab - 2>/dev/null", ...);
Indicators of Compromise (IOCs)
- Malware Hash: 5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca1eece1e1ba4b96e6c784729f0608ad2939cfb67bc4236dfababbe1d09268960c
- Ransom Extension: .fjuuk0 appended to files.
- Ransom Note: README-GENTLEMEN.txt placed in directories.
- Execution Password: KhHULsJugc (found in command line history logs).
- Yara rule:
rule rbrk_linux_ransomware_gentlemen_ESXi {
meta:
description = "Detects Gentlemen Ransomware targeting VMware ESXi"
author = "Rubrik Zero Labs"
date = "2026-02-03"
hash = "5dc607c8990841139768884b1b43e1403496d5a458788a1937be139594f01dca"
strings:
$s1 = "KhHULsJugc" ascii
$s2 = ".fjuuk0" ascii
$s3 = "README-GENTLEMEN.txt"
$s4 = "esxcli vm process kill" ascii
$s5 = "vim-cmd vmsvc/power.off" ascii
$s6 = "esxcfg-advcfg -s 32768 /BufferCache/MaxCapacity" ascii
$s7 = "--superfast" ascii
$s8 = "--ultrafast" ascii
condition:
all of ($s*)
}
Conclusion
The "Gentlemen" ESXi ransomware represents a mature, purpose-built threat to virtualization infrastructure. Its use of intermittent encryption and ESXi-specific administrative commands demonstrates that ransomware operators are continuing to optimize their tools for speed and maximum disruption.