After wreaking havoc on Windows users, the nasty ransomware LockBit has taken aim at Linux systems. Researchers have found a new ransomware variant in the wild infecting Linux servers.
LockBit Ransomware Targets Linux
Sharing the details in a post, researchers from Trend Micro Labs explained how the latest LockBit ransomware infects Linux.
LockBit ransomware is a well know cyber threat for organizations that has evolved multiple times to enhance its maliciousness. Its latest iteration, LockBit 2.0, also targeted some significant services, such as Bangkok Airways and the Italian firm ERG.
Until then, LockBit typically existed as a Windows ransomware.
However, Trend Micro researchers read about its Linux variant “LockBit Linux-ESXi Locker version 1.0” on an underground forum in October 2021. And now, it seems the threat actors have formally started using this variant as the researchers found it active in the wild.
Briefly, this ransomware variant employs a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for encryption. Whereas, it also exhibits tremendous logging capability to log information such as processor details, VMs, volumes in the system, total encrypted files, encrypted VMs, size of encryption files, and the total encryption time.
Moreover, it also includes specific commands to encrypt VM images on ESXi servers.
This advanced capability of targeting Linux and VMware ESXi servers can severely damage the victim networks. In addition, this property can also help the malware spread quickly and stealthily. The researchers have compared this functionality of LockBit with the likes of REvil and DarkSide – two nightmarish ransomware families for the business community.
Following a successful infection and data encryption, the ransomware posts the usual ransom notes for the victims. Also, the ransomware continues implementing the double extortion strategy of stealing data.
Recommendations for Organizations
The researchers advise organizations to keep their systems up-to-date to prevent LockBit infections.
In the case of LockBit, keeping systems up to date can prevent intrusions. This is because LockBit has been known to use access credentials stolen from vulnerable servers and sold in the cybercriminal underground.
Also, they have recommended numerous other strategies, such as conducting cyberattack simulations and working on attack prevention and recovery measures.