Experts analyze first LockBit ransomware for Linux and VMware ESXi

LockBit expands its operations by implementing a Linux version of LockBit ransomware that targets VMware ESXi servers.

LockBit is the latest ransomware operation to add the support for Linux systems, experts spotted a new version that targets VMware ESXi virtual machines.

The move aims at expanding the audience of potential targets, including all the organizations that are migrating to virtualization environments.

The LockBit operations are advertising a new Linux version that targets VMware ESXi virtual machines since October 2021. According to Trend Micro, an announcement for LockBit Linux-ESXi Locker version 1.0 was advertising the Linux version in the underground forum “RAMP” since October.

Trend Micro analyzed the Lockbit Linux-ESXi Locker version 1.0 which uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption.

The following image shows the list of arguments supported by the version analyzed by the researchers.

This version is able to gather the following information from the infected systems:

• Processor information
• Volumes in the system
• Virtual machines (VMs) for skipping
• Total files
• Total VMs
• Encrypted files
• Encrypted VMs
• Total encrypted size
• Time spent for encryption

Below is the list of commands supported by LockBit’s encryptor analyzed by Trend Micro, they allow to determine the type of virtual machines registered on the target system and power off them to unlock and encrypt their resources.

Command	Description
vm-support –listvms	Obtain a list of all registered and running VMs
esxcli vm process list	Get a list of running VMs
esxcli vm process kill –type   force –world-id	Power off the VM from the list
esxcli storage filesystem list	Check the status of data storage
/sbin/vmdumper %d suspend_v	Suspend VM
vim-cmd hostsvc/enable_ssh	Enable SSH
vim-cmd hostsvc/autostartmanager/enable_autostart false	Disable autostart
vim-cmd hostsvc/hostsummary grep cpuModel	Determine ESXi CPU model

Lockbit ransomware operations is the last in order of time to add the support for the Linux encryptors, other gangs that already implemented it in the past are HelloKitty, BlackMatter, REvil, AvosLocker, and the Hive ransomware operations.

“The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like REvil and DarkSide.” reads the analysis published by Trend Micro.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]