This sneaky ransomware is now targeting Linux servers, too

LockBit is a hugely popular form of ransomware for cyber criminals targeting Windows - and now cybersecurity researchers have identified a Linux-ESXi variant of it in the wild.
Written by Danny Palmer, Senior Writer

One of the most prolific families of ransomware now has additional Linux and VMware ESXi variants that have been spotted actively targeting organisations in recent months.

Analysis by cybersecurity researchers at Trend Micro identified LockBit Linux-ESXi Locker version 1.0 being advertised on an underground forum. Previously, LockBit ransomware – which was by far the most active ransomware family at one point last year – was focused on Windows.

LockBit has a reputation as one of the most sneaky forms of ransomware. And now the Linux and VMware ESXi variant means that the ransomware could potentially spread itself even further, encrypting a wider variety of servers and files – and driving up the pressure for a victim to give in and pay a ransom for the decryption key. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

"The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers," said Junestherry Dela Cruz, threats analyst at Trend Micro.

"An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies."

By targeting Linux, LockBit is following in the footsteps of other ransomware groups, including REvil and DarkSide, but the popularity of LockBit ransomware-as-a-service means that attacks could have a much wider impact and organisations should be aware of the potential threat.

Like many other ransomware attacks, LockBit steals information from compromised networks and threatens to publish it if the ransom isn't received – and that ransom demand can amount to millions of dollars.

As with previous versions of LockBit, the Linux variant features a note from the attackers that attempts to lure people into handing over corporate account details to further spread ransomware, in exchange for a cut of the profits – although it's unclear if attempting to attract insiders to give up secrets in this way actually works.

Researchers suggest that ransomware is harder to detect on Linux, but that implementing best security practices still provides the best chance of preventing the network from falling victim to an attack.

This includes keeping systems up to date with the latest security patches to prevent intrusions, especially as LockBit is known to exploit vulnerable servers to help it spread. Those behind LockBit attacks have also been known to exploit stolen usernames and passwords, so if it's known that a password has been part of a data breach, it should be changed.

It's also recommended that multi-factor authentication is applied across the entire ecosystem in order to provide an additional layer of defence against attacks.


Editorial standards