Experts analyze first LockBit ransomware for Linux and VMware ESXi

LockBit expands its operations by implementing a Linux version of LockBit ransomware that targets VMware ESXi servers.

LockBit is the latest ransomware operation to add the support for Linux systems, experts spotted a new version that targets VMware ESXi virtual machines.

The move aims at expanding the audience of potential targets, including all the organizations that are migrating to virtualization environments.

The LockBit operations are advertising a new Linux version that targets VMware ESXi virtual machines since October 2021. According to Trend Micro, an announcement for LockBit Linux-ESXi Locker version 1.0 was advertising the Linux version in the underground forum “RAMP” since October.

Trend Micro analyzed the Lockbit Linux-ESXi Locker version 1.0 which uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption.

The following image shows the list of arguments supported by the version analyzed by the researchers.

This version is able to gather the following information from the infected systems:

Processor informationVolumes in the systemVirtual machines (VMs) for skippingTotal filesTotal VMsEncrypted filesEncrypted VMsTotal encrypted sizeTime spent for encryptionBelow is the list of commands supported by LockBit’s encryptor analyzed by Trend Micro, they allow to determine the type of virtual machines registered on the target system and power off them to unlock and encrypt their resources.

CommandDescriptionvm-support –listvms Obtain a list of all registered and running VMsesxcli vm process list Get a list of running VMs esxcli vm process kill –type   force –world-id Power off the VM from the list esxcli storage filesystem list Check the status of data storage /sbin/vmdumper %d suspend_v Suspend VM vim-cmd hostsvc/enable_ssh Enable SSH vim-cmd hostsvc/autostartmanager/enable_autostart false Disable autostart vim-cmd hostsvc/hostsummary grep cpuModel Determine ESXi CPU modelLockbit ransomware operations is the last in order of time to add the support for the Linux encryptors, other gangs that already implemented it in the past are HelloKitty, BlackMatter, REvil, AvosLocker, and the Hive ransomware operations.

“The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like REvil and DarkSide.” reads the analysis published by Trend Micro.

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit ransomware)

The post Experts analyze first LockBit ransomware for Linux and VMware ESXi appeared first on Security Affairs.