Trend Micro researchers have detailed new support gained by the LockBit ransomware group – Encryption of Linux virtual machines.
LockBit Ransomware’s New Feature
While most of its tools are aimed at targeting Windows machines till now, researchers at Trend Micro have discovered a new attacking vector – encryption of Linux virtual machines – added to LockBit’s arsenal. A s per them, the group’s malware is now capable of compromising VMWare ESXi and vCenter installations.
- Identifying a VM,
- Start and stop running VMs,
- Specifying how large a file can be,
- Specifying the number of bytes that can be encrypted,
- Wiping out the space altogether, etc.
| Command | Description |
|---|---|
| vm-support –listvms | Obtain a list of all registered and running VMs |
| esxcli vm process list | Get a list of running VMs |
| esxcli vm process kill –type force –world-id | Power off the VM from the list |
| esxcli storage filesystem list | Check the status of data storage |
| /sbin/vmdumper %d suspend_v | Suspend VM |
| vim-cmd hostsvc/enable_ssh | Enable SSH |
| vim-cmd hostsvc/autostartmanager/enable_autostart false | Disable autostart |
| vim-cmd hostsvc/hostsummary grep cpuModel | Determine ESXi CPU model |
Researchers said that LockBit’s Linux encryptor uses AES to encrypt files and the elliptic-curve cryptography (ECC) algorithms for encrypting the decryption keys. And they have grown their attacking tools, it’s advised to the system admins and security teams to make their servers stand against Linux exploits coming from ransomware of such, and be vigilant on attacks.
