Ransomware, Threat Management, Threat Management, Security Strategy, Plan, Budget

Error in ALPHV/BlackCat ransomware code may offer some Linux users a shield

Oracle CEO Larry Ellison delivers a keynote address at the 2006 Oracle OpenWorld conference Oct. 25, 2006, in San Francisco.  (Photo by Justin Sullivan/Getty Images)

Researchers at Forescout discovered a mechanism to stop current versions of ALPHV ransomware from deploying on most Linux systems.

"As long as there's [a dummy binary called esxcli], the malware basically, basically hangs after that," said Daniel Dos Santos, head of research for Forescout.

ALPHV, also known as BlackCat, recently emerged as a large player in the ransomware marketplace. The malware is an updated version of BlackMatter/Darkside, which the designers claim was spruced up by former programmers for that group and REvil. This week the FBI requested assistance from former victims in its investigation of the group.

Breaking down the malware after an engagement, Forescout noted an interesting quirk. In any Linux attack, ALPHV requests VMWare ESXi hypervisor shut down all virtual machines through a binary called esxcli. If the call fails, ALPHV goes on encrypting the system as normal.

But if a fake esxcli was set up to return "true" to any request, ALPHV becomes indefinitely stuck trying to shut down virtual machines. With a dummy binary set to do that, almost all Linux users can stop ALPHV attacks, at least until ALPHV patches their ransomware.

Forescout could not find a way to make the trick work for ESXi users, who cannot have a dummy binary replace esxcli.

"We stopped short of calling it something like a kill switch because it's not something that is fully applicable in general, yet, due to the ESXi cases" said Dos Santos. "It's not that it would be impossible to apply on ESXi. We just didn't find a safe way to do that."

Other findings from the Forescout report include instructions for how to extract malware configurations, something that will be of use for incident response. The report also details a protocol used to distribute encryption across multiple instances of the malware across local systems. Dos Santos describes the protocol itself as simple, but note the inclusion of any protocol a more advanced feature for ransomware that has not been seen before.

"It seems like they are experimenting with new stuff, like they're striving to do something that makes it more of a good — good is a difficult word to use, but it works well. It's malware that works well, that is that is efficient," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.