Researchers on Wednesday said they discovered the LockBit ransomware gang targeting Linux-based ESXi servers from VMware.  ("VMware headquarters" by Ferran Rodenas is licensed under CC BY-NC-SA 2.0)

Researchers on Wednesday said they discovered the LockBit ransomware gang targeting Linux-based ESXi servers from VMware.

In a blog post, Trend Micro researchers said finding the notice on the underground forum RAMP indicated that the LockBit ransomware group plans to expand its targets to Linux hosts. They said they have been seeing examples of these attacks in the wild since last October.

The release of this variant is in line with how modern ransomware groups have been shifting their efforts to the Linux world. An ESXi server typically hosts multiple virtual machines, which in turn hold important data and applications for an organization.

VMware has been in the spotlight for a long time, especially with their widespread deployment of ESXi servers and the vCenter servers, said Anurag Gurtu, chief privacy officer at StrikeReady. Gurtu said several ransomware families have recently targeted these programs, including AvosLocker, Conti, TellYouThePass, and others. Gurtu said to stay one step ahead of Linux and Windows administrators, the ransomware gangs are constantly evolving their encryption techniques.

“In the wake of REvil's shutdown, LockBit has emerged as one of the most prominent ransomwares and is praised for its fast encrypting power,” Gurtu said. ‘It encrypts files with AES and encrypts decryption keys with ECC. This tool utilizes ESXi and vCenter command line interface for cleanly shutting down VMs to avoid corruption. These Linux-based ecryptors are nothing new - HelloKitty (that took on a Brazilian power plant), BlackMatter (a successor to the now-defunct DarkSide and REvil group), AvosLocker (which targeted Microsoft Exchange Server), and Hive, all have used them in the past."

This news continues the conversation from the VMWare Horizon campaign that leveraged the Log4j vulnerability, said Matthew Warner, co-founder and CTO at Blumira. Warner said at no point should companies expose ESXi/VCenter to the internet, and while this was further exacerbated by the change to remote work because of the pandemic, security teams need to manage attack surfaces.

“Previously we've seen ransomware groups attack ESXi and similar hypervisors to lock down virtual machines. however this generally required in-environment access,” Warner said. “While this campaign has not yet reached the same broad scan and exploit attacks that VMWare Horizon did -- they will -- same for all the other Log4j-impacted applications. It’s more important than ever to evaluate exposed attack surfaces and resolve these issues through IT fundamentals to avoid drastic damage of environments even with rapid detection in place.”

As many organizations use ESXi to run their virtual machine infrastructure, this new ransomware variant can have a broader impact versus targeting single server instances, said Saryu Nayyar, founder and CEO at Gurucul. Nayyar said while ESXi primarily focuses on running on physical systems, it has been adapted to also run in public cloud environments as well.

“The best defense against new ransomware variants is rooted in non-rule-based machine learning models that actually adapt to new attacks,” Nayyar said. “As these models learn in real-time they can identify new attack variants and escalate suspicious, but previously unknown, indicators of compromise to security teams for further investigation and even automated response to prevent successful detonation of the ransomware."