Enterprise security software developer, Trend Micro announced that they are monitoring a new ransomware version named LockBit Linux-ESXi Locker version 1.0 that targets Linux servers. The announcement for the ransomware was made in an underground forum, “RAMP” in October 2021. Trend Micro also stated that the company detected this variant in the wild.
Combination of AES and ECC algorithms
The new version uses a combination of Advanced Encryption Standard and elliptic-curve cryptography algorithms to encrypt the victim’s data. LockBit Linux-ESXi Locker version 1.0 also has logging capabilities allowing it to log:
- Processor information
- Volumes in the system
- Virtual machines (VMs) for skipping
- Total files
- Total VMs
- Encrypted files
- Encrypted VMs
- Total encrypted size
- Time spent for encryption
The ransomware also contains commands to encrypt VM images hosted on ESXi servers:
vm-support –listvms: Obtain a list of all registered and running VMs
esxcli vm process list: Get a list of running VMs
esxcli vm process kill –type force –world-id: Power off the VM from the list
esxcli storage filesystem list: Check the status of data storage
/sbin/vmdumper %d suspend_v: Suspend VM
vim-cmd hostsvc/enable_ssh: Enable SSH
vim-cmd hostsvc/autostartmanager/enable_autostart false: Disable autostart
vim-cmd hostsvc/hostsummary grep cpuModel: Determine ESXi CPU model
The ransom note includes the leak sites where the hackers threaten to publish the stolen data if the company refuses to pay the ransom. The hacker group also claims to spend millions of dollars to the employees who are willing to sell their accounting data for access to any company by launching the virus on a computer in their company. Trend Micro says,
« ESXi offers organizations an easier way to manage their servers. But ransomware operators are also mirroring the transition of organizations to platforms such as ESXi. This development adds LockBit to the list of ransomware families capable of targeting Linux hosts in general and the ESXi platform in particular.
While Linux versions are typically harder to detect, implementing security best practices can still help organizations minimize the possibility of a successful attack. In the case of LockBit, keeping systems up to date can prevent intrusions. This is because LockBit has been known to use access credentials stolen from vulnerable servers and sold in the cybercriminal underground. »