Experts analyze first LockBit ransomware for Linux and VMware ESXi

LockBit expands its operations by implementing a Linux version of LockBit ransomware that targets VMware ESXi servers.

LockBit is the latest ransomware operation to add the support for Linux systems, experts spotted a new version that targets VMware ESXi virtual machines.

The move aims at expanding the audience of potential targets, including all the organizations that are migrating to virtualization environments.

The LockBit operations are advertising a new Linux version that targets VMware ESXi virtual machines since October 2021. According to Trend Micro, an announcement for LockBit Linux-ESXi Locker version 1.0 was advertising the Linux version in the underground forum “RAMP” since October.

Trend Micro analyzed the Lockbit Linux-ESXi Locker version 1.0 which uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption.

The following image shows the list of arguments supported by the version analyzed by the researchers.

This version is able to gather the following information from the infected systems:

Processor information
Volumes in the system
Virtual machines (VMs) for skipping
Total files
Total VMs
Encrypted files
Encrypted VMs
Total encrypted size
Time spent for encryption

Below is the list of commands supported by LockBit’s encryptor analyzed by Trend Micro, they allow to determine the type of virtual machines registered on the target system and power off them to unlock and encrypt their resources.

Command	Description
vm-support –listvms	Obtain a list of all registered and running VMs
esxcli vm process list	Get a list of running VMs
esxcli vm process kill –type force –world-id	Power off the VM from the list
esxcli storage filesystem list	Check the status of data storage
/sbin/vmdumper %d suspend_v	Suspend VM
vim-cmd hostsvc/enable_ssh	Enable SSH
vim-cmd hostsvc/autostartmanager/enable_autostart false	Disable autostart
vim-cmd hostsvc/hostsummary grep cpuModel	Determine ESXi CPU model

Lockbit ransomware operations is the last in order of time to add the support for the Linux encryptors, other gangs that already implemented it in the past are HelloKitty, BlackMatter, REvil, AvosLocker, and the Hive ransomware operations.

“The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like REvil and DarkSide.” reads the analysis published by Trend Micro.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockbit ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.