LockBit ransomware, the prominent malicious group is said to have added new support for targeting Linux-based virtual machines, especially the VMware servers.
As reported by the Trend Micro researchers, LockBit’s new support will work on a simple command-line interface for managing the hijacked Linux VMware servers, for the affiliates. Thus, they warned security teams to be aware of the update, and guard their systems against Linux encryptors.
LockBit With Linux VM Support
LockBit is one of the few prominent ransomware groups that rose to popularity after the demise of the REvil gang last year. With notable victims in its bag, LockBit ransomware, so far, has only targeted Windows machines. But now, it’s said to have added new support, that makes it encrypt the Linux-based virtual machines too.
This is special regarding VMware’s VMWare ESXi and vCenter installations, as reported by the Trend Micro researchers. The new support will use the AES for encrypting files, and the elliptic-curve cryptography (ECC) algorithms to encrypt the decryption keys.
While other ransomware groups too had this support for a long time, LockBit’s addition stands out through its simple command-line utilities, which will let its affiliates check what kind of VMs are being used by their targets, and the ability to shutdown them easily.
Below are the features that LockBit’s Linux encryptor can perform;
| Command | Description |
|---|---|
| vm-support –listvms | Obtain a list of all registered and running VMs |
| esxcli vm process list | Get a list of running VMs |
| esxcli vm process kill –type force –world-id | Power off the VM from the list |
| esxcli storage filesystem list | Check the status of data storage |
| /sbin/vmdumper %d suspend_v | Suspend VM |
| vim-cmd hostsvc/enable_ssh | Enable SSH |
| vim-cmd hostsvc/autostartmanager/enable_autostart false | Disable autostart |
| vim-cmd hostsvc/hostsummary grep cpuModel | Determine ESXi CPU model |
LockBit works on a Ransomware-as-a-service model, where it will rent its encrypting malware to hackers, and share the ransom earned from a victim with them. And since more and more organizations are moving to use virtual machines for saving hardware resources and easy backup, security teams and system admins working for them should be aware of such updates in the ransomware industry.
Other Trending News:- News
