LockBit expands its operations by implementing a Linux version of LockBit ransomware that targets VMware ESXi servers.
LockBit is the latest ransomware operation to add the support for Linux systems, experts spotted a new version that targets VMware ESXi virtual machines.
The move aims at expanding the audience of potential targets, including all the organizations that are migrating to virtualization environments.
The LockBit operations are advertising a new Linux version that targets VMware ESXi virtual machines since October 2021. According to Trend Micro, an announcement for LockBit Linux-ESXi Locker version 1.0 was advertising the Linux version in the underground forum “RAMP” since October.
Trend Micro analyzed the Lockbit Linux-ESXi Locker version 1.0 which uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption.
The following image shows the list of arguments supported by the version analyzed by the researchers.
This version is able to gather the following information from the infected systems:
- Processor information
- Volumes in the system
- Virtual machines (VMs) for skipping
- Total files
- Total VMs
- Encrypted files
- Encrypted VMs
- Total encrypted size
- Time spent for encryption
Below is the list of commands supported by LockBit’s encryptor analyzed by Trend Micro, they allow to determine the type of virtual machines registered on the target system and power off them to unlock and encrypt their resources.
| Command | Description |
|---|---|
| vm-support –listvms | Obtain a list of all registered and running VMs |
| esxcli vm process list | Get a list of running VMs |
| esxcli vm process kill –type force –world-id | Power off the VM from the list |
| esxcli storage filesystem list | Check the status of data storage |
| /sbin/vmdumper %d suspend_v | Suspend VM |
| vim-cmd hostsvc/enable_ssh | Enable SSH |
| vim-cmd hostsvc/autostartmanager/enable_autostart false | Disable autostart |
| vim-cmd hostsvc/hostsummary grep cpuModel | Determine ESXi CPU model |
Lockbit ransomware operations is the last in order of time to add the support for the Linux encryptors, other gangs that already implemented it in the past are HelloKitty, BlackMatter, REvil, AvosLocker, and the Hive ransomware operations.
“The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like REvil and DarkSide.” reads the analysis published by Trend Micro.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Lockbit ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
Share On
