LockBit is the newest ransomware group whose Linux encryptor has been revealed to target VMware ESXi virtual machines for encryption. Virtual machines are becoming more popular in the industry to conserve computer resources, consolidate servers, and simplify backups.
As a result, ransomware gangs have modified their techniques in the last year to produce Linux encryptors that target the popular VMware vSphere and ESXi virtualization systems. While ESXi is not literally a Linux distribution, it does share many of its properties, such as the ability to execute ELF64 Linux executables.
LockBit announced new capabilities of their Ransomware-as-a-Service operation on the RAMP hacking forums in October, including a new Linux encryptor that attacks VMware ESXi virtual machines. Trend Micro researchers looked at the ransomware gang’s Linux encryptor and outlined how it’s used to attack VMWare ESXi and vCenter systems in a new paper.
LockBits, like other Linux encryptors, has a command-line interface that allows users to customize their assaults by enabling and disabling certain features. As illustrated in the figure below, these capabilities include the option to define how large a file and how many bytes to encrypt, as well as whether to halt operating virtual machines or delete empty space afterward.
The widespread usage of VMware ESXi and VMware vCenter command-line utilities to verify whether virtual machines are operating and shut them down cleanly, so they are not damaged while being encrypted distinguishes the LockBit Linux encryptor. The whole set of instructions found in LockBit’s encryptor from Trend Micro can be found here.
According to Trend Micro, the encryptor encrypts data using AES and the decryption keys using elliptic-curve cryptography (ECC) techniques. Because VMware ESXI is so widely used in the industry, all network defenders and security professionals should expect every major ransomware operation to have already produced a Linux variation.
Admins and security experts may build suitable defenses and strategies to protect all devices in their networks, not just Windows devices, by making this assumption. This is notably true of the LockBit ransomware operation, which has risen to prominence after REvil’s demise and boasts about its encryptors’ speed and feature set.
It’s also important to realize that, just as we’re keeping an eye on ransomware gangs, they’re keeping an eye on us as well. They do this by monitoring the social feeds of academics and journalists for the newest methods, defenses, and vulnerabilities that they may deploy against corporate targets. For this, ransomware gangs are continually refining their encryptions and techniques to stay one step ahead of security and Windows administrators.