There are quite a few misconceptions that go along with some of this imagery, and unless we have the whole picture, it’s difficult to make sure we’re ready for a ransomware attack.
The most common misconception is that ransomware only targets Windows servers. This couldn’t be further from the truth. Multiplatform ransomware is an ever-growing threat that we must be prepared for.
Let’s take a closer look at the true scope of ransomware.
To understand why multiplatform ransomware is on the rise, we have to put ourselves in the right mindset. What is the motivation of a ransomware attack? The motivation is to get the victims to pay by any means necessary.
This usually means causing the maximum amount of damage as quickly as possible, because threat actors know the environments they’re looking at are under great scrutiny. They put as much effort into remaining undetected as they do making sure they encrypt everything as quickly as possible. Ransomware operators are constantly working on updates to their software to achieve this purpose.
A decade ago, Linux was just starting to increase in adoption thanks to the enterprise level support offered by distributions. You’d be hard pressed to find a datacenter that doesn’t have Linux servers in it. One of the biggest use cases for Linux servers is database servers, which are a natural target for ransomware operators.
These Linux variants are easily adopted to run on VMware ESXi as well. VMware ESXi ransomware encrypts the virtual machines (VMs) running on the VMware host or in the whole cluster. ESXi ransomware doesn’t really care what operating system is running on the VM at that level.
Since the motivation is getting victims to pay the ransom, why stop at just Windows servers? One benefit to attacking VMware ESXi is that it’s a quick job, since there are so many VMs that can be impacted from compromising a single VMware host.
Multiplatform ransomware is more than just targeting multiple operating systems, too. We need to take a good look at our environments as a whole, and examine what can happen if a ransomware actor decides to take a good look along with us.
There’s also a tendency to simply focus on protecting our server infrastructure, but it’s important to remember how the bad actors get in.
The No. 1 way environments are compromised is through phishing attacks. Just ask Cisco, which was recently attacked that way. Yet we’re so focused on servers we sometimes forget how networks are compromised in the first place.
Besides providing an entry into the rest of the network, end user workstations also may contain information the threat actors can extort. They also may be able to access other workstations for encryption or extortion from a single compromised desktop or laptop.
What’s the impact of employees not being able to work? It depends on the business, but the impact can be very high. Just take healthcare as an example, and its move toward putting medical charts online in recent years. The impact can be hard to quantify for many organizations, but it can be huge.
Another way threat actors get in is by exploiting security vulnerabilities across the environment. This may not be categorized as a ransomware attack until they encrypt or exfiltrate data, because ransomware can't be deployed an environment until the threat actors are inside. This is why organizations need to pay very close attention to vulnerable components of their infrastructure.
In addition to encrypting and exfiltrating data, threat actors also want to do everything they can to make sure you can’t recover. They will go as far as to actively look for your backup systems, so they can attempt to delete or encrypt your backups. This is one of the reasons it’s so important to make sure the data is being protected, and that there are also multiple copies of the data (the “3-2-1 Rule” comes to mind).
When we think about protecting our environments against the treat of ransomware, it’s important to keep in mind the mindset of those trying to exploit us. When the attackers seek to do as much damage as quickly as possible, it makes sense they will turn to their software to do it.
That’s a key reason multiplatform ransomware is on the rise. It’s important to remember to take a look at the bigger picture, including the major operating systems like Windows, Linux, and VMware ESXi.
We know threat actors target these platforms, so we need to pay special attention to securing and protecting them. It’s also important to remember to protect all of our assets, from servers all the way down to our endpoints so they can be recovered after an attack.