LockBit ransomware targets VMware ESXi servers on Linux
Short News:-
LockBit is the latest gang's Linux encryptor focusing on encryption of VMware ESXi virtual machines. Trend Micro researchers analyzed the encryption tool used to target VMWare ESXi and vCenter installations. LockBits provides a command-line interface allowing affiliates to tailor various features to tailor their attacks. LockBit encryptor uses a wide range of command-line utilities to check what virtual machines are running and shut them down cleanly so they are not corrupted while being encrypted. Trend Micro's analysis shows extensive use of both VMware ESXi and vCenter utilities in the encryptor.
Detailed News:-
Ransomware gang LockBit's Linux encryptor has been found to focus on the encryption of VMware ESXi virtual machines, according to security researchers.
Virtual machines are increasingly being used in the enterprise to save resources, consolidate servers, and make backups easier.
There have been an increasing number of Linux-based ransomware attacks that specifically target the popular VMware virtualization platforms in recent years because of this.
The ability to run ELF64 Linux executables is a feature that distinguishes ESXi from pure Linux.
VMware ESXi servers are Lockbit's primary target.
A new Linux encryptor for VMware ESXi virtual machines was introduced by LockBit as part of their Ransomware-as-a-Service operation in October.
The ransomware gang's Linux encryptor has been analyzed by Trend Micro researchers and explained how it is used to attack VMWare ESXi and vCenter installations, according to the report.
This isn't the first time BleepingComputer has seen Linux-based encryptors; in the past, we've seen them in the form of ransomware like Hive and HelloKitty.
Using a command-line interface, similar to other Linux encryptors, affiliates can enable and disable specific features to better suit their attacks.
In addition to being able to specify the maximum file size and number of bytes to encrypt, users can also choose whether or not to stop running virtual machines or wipe free space afterward, as illustrated in the following image.
To ensure that no virtual machines are corrupted while being encrypted, the LockBit Linux encryptor makes extensive use of the VMware ESXi and VMware vCenter command-line utilities.
The following is a complete list of commands that Trend Micro detected in LockBit's encryptor:
It is possible to list all of the virtual machines that are supported by VM support.
#vm-support --listvms | Obtain a list of all registered and running VMs
#esxcli vm process list | Get a list of running VMs
#esxcli vm process kill --type force --world-id | Power off the VM from the list
#esxcli storage filesystem list | Check the status of data storage
#/sbin/vmdumper %d suspend_v | Suspend VM
#vim-cmd hostsvc/enable_ssh | Enable SSH
#vim-cmd hostsvc/autostartmanager/enable_autostart false | Disable autostart
#vim-cmd hostsvc/hostsummary grep cpuModel | Determine ESXi CPU model
Every large ransomware operation has already developed a Linux variant due to the widespread use of VMware ESXI in the enterprise by network defenders and security professionals.
With this assumption, administrators and security professionals can devise appropriate defenses and plans to protect all network devices, not just Windows ones.
Because of LockBit's encryptors' speed and feature set, it has grown to be the most prominent ransomware operation since REvil shut down.
Remember that ransomware gangs are watching us just as much as we're watching them.
In other words, they keep an eye on the social media feeds of security researchers and journalists to see what new tactics, defenses, and vulnerabilities they can exploit against corporate targets are being discussed.
As a result of this, ransomware groups are constantly tweaking their encryptions and tactics to stay ahead of security and Windows administrators.
Post a Comment
Your suggestions and comments are welcome