“LockBit's operators typically threaten to publish data they stole from their victims on their leak site once their targeted organizations have failed to comply with their ransom demands,” according to Dela Cruz. These include ones for obtaining a list of all registered and running VMs, powering off VMs from the list, checking the status of data storage, enabling SSH, disabling autostart and determining the ESXi CPU model.įor the most part the ransomware exhibits hallmarks of LockBit attacks, including in its ransom note, which lists leak sites where the LockBit group threatens to publish stolen information, and includes a recruitment ad for potential insiders, enticing them with “millions of dollars” in exchange for access to valuable company data. Once downloaded, the ransomware has various commands for encrypting VM images that are hosted on the ESXi servers. The ransomware variant also has logging capabilities for systems’ processor data, virtual machines for skipping, total files, total VMs, encrypted files, encrypted VMs, total encrypted size and time spent for encryption. The new variant uses both Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms, the same encryption methods used in the Lockbit 2.0 Windows variant. “I think modern ransomware families who are using the double extortion technique are moving towards targeting Linux environments since servers are usually hosted on this OS.” “This signifies the LockBit ransomware group’s efforts to expand its targets to Linux hosts,” said Junestherry Dela Cruz, threats analyst with Trend Micro. Since then, they have seen numerous samples in the wild - though they have not yet seen any organizations actually targeted by the variant yet. Researchers with Trend Micro in an analysis this week said they uncovered an announcement for LockBit Linux-ESXi Locker version 1.0 in October, made on the underground forum RAMP for potential affiliates. The LockBit ransomware-as-a-service (RaaS) group has over the past year targeted various organizations globally, including ones in Chile, Italy and the UK. A newly uncovered variant of LockBit is the latest ransomware family to target VMware’s ESXi enterprise-class virtual machine platform.
0 Comments
Leave a Reply. |