Chris Swagler | January 31st, 2022

LockBit Linux

LockBit is the latest ransomware group to be discovered with Linux encryptors focusing on the encryption of VMware ESXi virtual machines. Virtual machines are increasingly being used in enterprises to save computer resources, consolidate servers, and for easy backups. Ransomware groups have evolved their attack methods by creating Linux encryptors that specifically target popular VMware vSphere and ESXi virtualization platforms. Even though ESXi is not strictly Linux, it shares many characteristics, including the ability to run ELF64 Linux executables.

LockBit started promoting their Ransomware-as-a-Service operation’s features on the RAMP forums, including a new Linux encryptor that targets VMware ESXi virtual machines. According to a report, researchers analyzed the ransomware group’s Linux encryptor and explained how the encryptor is used to target VMware ESXi and vCenter installations. Linux encryptors are nothing new as similar encryptors have been identified from the HelloKitty, BlackMatter, REvil, AvosLocker, and Hive ransomware groups. LockBit, like other Linux encryptors, provides a command-line interface allowing affiliates to enable and disable various features to tailor their attacks. The interface features include the ability to specify the file size and the number of bytes to encrypt, whether to stop running virtual machines, or wipe free space afterward.

The LockBit Linux encryptor is different because of the wide use of both VMware ESXi and VMware vCenter command-line utilities to check what virtual machines are running and then cleanly shut down the machines to prevent corruption while being encrypted. Researchers indicated that the encryptor uses AES to encrypt files and elliptic-curve cryptography (ECC) algorithms to encrypt the decryption keys. All network defenders and security professionals should expect large ransomware operations to develop a Linux version because VMware ESXi is widely used in enterprises. With this assumption, admins and security professionals can protect all devices in their network, rather than just Windows devices, by developing appropriate defenses and plans.

Since the shutdown of the REvil ransomware group, LockBit has become the most prominent ransomware operation and prides itself on its encryptors’ speed and feature set.

As more ransomware groups are continuously evolving their encryption methods and tactics attempting to stay ahead of security and Windows administrators, it’s important for companies to remain alert on the latest threat landscape and update the network security on their virtual machines including the VMware ESXi servers. At SpearTip, our certified engineers continuously monitor companies’ server networks at our 24/7 Security Operations Centers for potential ransomware threats like the LockBit ransomware group. Additionally, we specialize in handling breaches and incident response capabilities with one of the fastest response times in the industry. SpearTip’s ShadowSpear Platform is an unparalleled resource with capabilities to optimize visibility and detect cyber threats at network endpoints and enhance the security infrastructure of any company.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.