Experts analyze first LockBit ransomware for Linux and VMware ESXi

Pierluigi Paganini January 27, 2022

LockBit expands its operations by implementing a Linux version of LockBit ransomware that targets VMware ESXi servers.

LockBit is the latest ransomware operation to add the support for Linux systems, experts spotted a new version that targets VMware ESXi virtual machines.

The move aims at expanding the audience of potential targets, including all the organizations that are migrating to virtualization environments.

The LockBit operations are advertising a new Linux version that targets VMware ESXi virtual machines since October 2021. According to Trend Micro, an announcement for LockBit Linux-ESXi Locker version 1.0 was advertising the Linux version in the underground forum “RAMP” since October.

Trend Micro analyzed the Lockbit Linux-ESXi Locker version 1.0 which uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption.

The following image shows the list of arguments supported by the version analyzed by the researchers.

Lockbit ransomware

This version is able to gather the following information from the infected systems:

  • Processor information
  • Volumes in the system
  • Virtual machines (VMs) for skipping
  • Total files
  • Total VMs
  • Encrypted files
  • Encrypted VMs
  • Total encrypted size
  • Time spent for encryption

Below is the list of commands supported by LockBit’s encryptor analyzed by Trend Micro, they allow to determine the type of virtual machines registered on the target system and power off them to unlock and encrypt their resources.

vm-support –listvms Obtain a list of all registered and running VMs
esxcli vm process list Get a list of running VMs 
esxcli vm process kill –type   force –world-id Power off the VM from the list 
esxcli storage filesystem list Check the status of data storage 
/sbin/vmdumper %d suspend_v Suspend VM 
vim-cmd hostsvc/enable_ssh Enable SSH 
vim-cmd hostsvc/autostartmanager/enable_autostart false Disable autostart 
vim-cmd hostsvc/hostsummary grep cpuModel Determine ESXi CPU model

Lockbit ransomware operations is the last in order of time to add the support for the Linux encryptors, other gangs that already implemented it in the past are HelloKittyBlackMatterREvilAvosLocker, and the Hive ransomware operations.

“The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like REvil and DarkSide.” reads the analysis published by Trend Micro.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment