LockBit ransomware has always been a key weapon for malicious actors targeting Windows, but cybersecurity researchers at Trend Micro spotted LockBit Linux-ESXi Locker version 1.0 being advertised on an underground platform, meaning the sneaky ransomware is now targeting VMware ESXi virtual machines.
According to Trend Micro, the LockBit operators are advertising a new Linux version since October 2021. The move focuses on expanding the audience of potential targets, including all the organizations that are shifting to virtualization environments. Additionally, the ransomware can encrypt a wide range of servers and files – and drive up the pressure for a victim to give in and pay a ransom for the decryption key.
"The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers," stated Junestherry Dela Cruz, threats analyst at Trend Micro. "An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies."
According to the researchers, Linux encryptors are nothing new as similar encryptors have been discovered in the past from HelloKitty, BlackMatter, REvil, AvosLocker, and the Hive ransomware operations. Like other Linux encryptors, LockBit offers a command-line interface allowing affiliates to enable and disable various features to tailor their attacks.
However, what makes the LockBit Linux encryptor stand out is the wide use of both VMware ESXi and VMware vCenter command-line utilities to check what virtual machines are running and to shut them down so they are not compromised while being encrypted.
To mitigate the risks, Trend Micro advised organizations to keep systems up to date with the latest security patches to prevent intrusions, especially as LockBit is known to exploit vulnerable servers to help it spread. Those behind LockBit attacks have also been known to exploit stolen usernames and passwords, so if it's known that a password has been part of a data breach, it should be changed.
Additionally, multi-factor authentication can be applied across the entire ecosystem in order to provide an additional layer of defense against cyber assaults.
