Ransomware gangs are doing something right now that is standard procedure for most businesses: expanding their customer base. These aren’t willing customers, however–ransomware organizations are branching out from Windows machines to include Linux as well. Not only does this enlarge their potential target base, but it may improve their profit margins, as Linux servers often host high-value resources.
This includes ESXi virtual host servers that allow ransomware attackers to gain greater leverage for their attacks. By infecting the host server, an attacker can shut down all the virtual machines (VMs) and then encrypt the ESXi data structure.
Theoretically, the number of VMs could be as high as 1,024. While ESXi has its own customer kernel, it does have the ability to run Linux executables, thus making it susceptible to Linux-based malware code.
According to the 2022 IBM Security annual X-Force Threat Intelligence Index, the amount of Linux-unique ransomware code increased by 146 percent in 2021. The report also showed an increasing focus on Docker containers over generic Linux systems, since so many web apps are utilizing containers today.
This increase was substantiated by a recent Linux threat study published by Trend Micro that reported more than 13 million malware attacks on Linux systems between January and June of 2021.
The third most prominent type of attack involved ransomware, which accounted for 12% of all incidents. When breaking down the attacks by Linux distributions, CentOS Linux was the most targeted, with CloudLinux, Ubuntu, and Red Hat Enterprise rounding out the top four. So serious is the increasing threat to Linux servers that the FBI and National Security Agency issued a joint advisory in August 2020 concerning the growing threat by Russian intelligence.
One of the first ransomware strains to make the jump to Linux was RansomEXX, otherwise known as Defrat777. The well-known ransomware variant has been used on several attacks over the past 18 months, including the Texas Department of Transportation, Konica Minolta, and Tyler Technologies.
RansomEXX is part of a growing trend in which ransomware gangs bypass workstations and focus on the servers in pursuit of a big payday.Rather than depend on automated distribution methodologies, RansomEXX is human operated, giving the threat actors time to thoroughly scout the network.The addition of Linux code gives the group greater agility for server targeting.
Another example is Lockbit Linux-ESXI Locker, which was the recently released by Lockbit, an organization that creates Ransomware-as-a-Service (RaaS) tools. The newest version of Lockbit specifically targets ESXi servers and encrypts vCenter infrastructure as well as the VMs themselves.
As is typical today, the group exfiltrates the data before encrypting to provide greater leverage to get paid. Other ransomware groups that have recently released their own Linux encryptors include HelloKitty, Hive, REvil, Babuk, and DarkSide, all of which have been confirmed by samples captured by cybersecurity companies. It’s often difficult to discern if a ransomware attack was Windows or Linux based, as victimized companies don’t publicly list their compromised server operating systems.
The increased targeting of Linux servers is but one more reminder that ransomware is a business, and like any business, ransomware entrepreneurs pursue opportunity and seek to expand their markets.
While ransomware may have initially targeted the low-hanging fruit of outdated Windows systems, it’s matured and evolved to a new stage of development in which targets are selectively chosen. And Linux is more and more often that target.