A newly uncovered variant of LockBit is the latest ransomware family to target VMware’s ESXi enterprise-class virtual machine platform.
The LockBit ransomware-as-a-service (RaaS) group has over the past year targeted various organizations globally, including ones in Chile, Italy and the UK. Researchers with Trend Micro in an analysis this week said they uncovered an announcement for LockBit Linux-ESXi Locker version 1.0 in October, made on the underground forum RAMP for potential affiliates. Since then, they have seen numerous samples in the wild - though they have not yet seen any organizations actually targeted by the variant yet.
“This signifies the LockBit ransomware group’s efforts to expand its targets to Linux hosts,” said Junestherry Dela Cruz, threats analyst with Trend Micro. “I think modern ransomware families who are using the double extortion technique are moving towards targeting Linux environments since servers are usually hosted on this OS.”
The new variant uses both Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms, the same encryption methods used in the Lockbit 2.0 Windows variant. The ransomware variant also has logging capabilities for systems’ processor data, virtual machines for skipping, total files, total VMs, encrypted files, encrypted VMs, total encrypted size and time spent for encryption.
Once downloaded, the ransomware has various commands for encrypting VM images that are hosted on the ESXi servers. These include ones for obtaining a list of all registered and running VMs, powering off VMs from the list, checking the status of data storage, enabling SSH, disabling autostart and determining the ESXi CPU model.
For the most part the ransomware exhibits hallmarks of LockBit attacks, including in its ransom note, which lists leak sites where the LockBit group threatens to publish stolen information, and includes a recruitment ad for potential insiders, enticing them with “millions of dollars” in exchange for access to valuable company data.
“LockBit's operators typically threaten to publish data they stole from their victims on their leak site once their targeted organizations have failed to comply with their ransom demands,” according to Dela Cruz.
"Targeting VMware ESXi servers allows the attacker to encrypt multiple virtual machines at once, each of which possibly contains large amounts of company data."
Several other ransomware groups - including ones behind the BlackMatter, AvosLocker and HelloKitty ransomware groups - have shifted their efforts to target the ESXi platform, which is a hypervisor developed by VMware that is used by enterprise organizations to deploy and manage virtual machines.
As more organizations transition to ESXi, researchers said attackers increasingly view this platform as lucrative for ransomware attacks. Because the ESXi hypervisor allows multiple VMs to share the same hard drive storage, this creates an opportunity for attackers to target these centralized virtual hard drives used to store data from across VMs - creating a larger potential for disruption for companies.
“Targeting VMware ESXi servers allows the attacker to encrypt multiple virtual machines at once, each of which possibly contains large amounts of company data,” said Dela Cruz. “More encrypted data means bigger pressure for the victim company to pay the ransom demand.”
Fernando Martinez, of AT&T Alien Labs, said that REvil and DarkSide are some of the most relevant ransomware families who have added ESXi infection capabilities into their code.
“These families adapted their already existing code with a few lines to include ESXi capabilities in 2021,” he said. “ESXi is virtualization technology developed by VMware that allows multiple virtual machines (VM) to share the same hard drive storage. It is not a Linux operating system, but the ESXi command shell offers the capability to run some Linux-compiled ELF binaries. ESXi can host any OS in their machines.”
Researchers said organizations should keep systems up to date to prevent intrusions, particularly because LockBit is known to use access credentials stolen from vulnerable servers and sold on underground forums. LockBit ransomware affiliates are also known to exploit vulnerabilities like CVE-2018-13379 - a path traversal vulnerability in Fortinet's FortiGate SSL VPN - or employ company insider threats that can provide sensitive data like RDP or VPN credentials for access.