Evaluation and Impression of LockBit Ransomware’s First Linux and VMware ESXi Variant
Ransomware
LockBit ransomware’s operators introduced the discharge of its first Linux and ESXi variant in October. With samples additionally noticed within the wild, we focus on the influence and evaluation of this variant.
By: Junestherry Dela Cruz
January 24, 2022
Learn time: ( phrases)
In our monitoring of the LockBit ransomware’s intrusion set, we discovered an announcement for LockBit Linux-ESXi Locker model 1.0 on October 2021 within the underground discussion board “RAMP,” the place potential associates can discover it. This signifies the LockBit ransomware group’s efforts to increase its targets to Linux hosts. Since October, now we have been seeing samples of this variant within the wild.
This variant might have a big effect on sufferer organizations due to how ESXi, VMware’s hypervisor helps in managing servers.
Evaluation of the variant
Lockbit Linux-ESXi Locker model 1.0 makes use of a mix of Superior Encryption Commonplace (AES) and elliptic-curve cryptography (ECC) algorithms for information encryption. From our evaluation, we will see that this model of LockBit can settle for parameters, as detailed in Determine 1.
Determine 1. Parameters accepted by the Linux-ESXi model of LockBit
This model of the ransomware has logging capabilities and might log the next data:
Processor data
Volumes within the system
Digital machines (VMs) for skipping
Complete information
Complete VMs
Encrypted information
Encrypted VMs
Complete encrypted measurement
Time spent for encryption
This variant additionally incorporates instructions crucial for encrypting VM photographs hosted on ESXi servers, as listed in Desk 1.
Command
Description
vm-support –listvms
Acquire a listing of all registered and operating VMs
esxcli vm course of listing
Get a listing of operating VMs
esxcli vm course of kill –type drive –world-id
Energy off the VM from the listing
esxcli storage filesystem listing
Examine the standing of knowledge storage
/sbin/vmdumper %d suspend_v
Droop VM
vim-cmd hostsvc/enable_ssh
Allow SSH
vim-cmd hostsvc/autostartmanager/enable_autostart false
Disable autostart
vim-cmd hostsvc/hostsummary grep cpuModel
Decide ESXi CPU mannequin
Desk 1. Instructions for encrypting VM photographs hosted on ESXi servers
The ransom observe is typical of LockBit assaults. It advertises the pace of LockBit 2.0, lists down the leak websites the place the LockBit group threatens to publish stolen data, and ends with a recruitment advert for potential insiders engaging them with “thousands and thousands of {dollars}” in change for entry to worthwhile firm information.
Determine 2. A ransom observe of the Linux-ESXi model of LockBit
LockBit’s operators sometimes threaten to publish information they stole from their victims on their leak web site as soon as their focused organizations have didn’t adjust to their ransom calls for.
Determine 3. A screenshot of LockBit 2.0’s leak web site
Impression of the variant
The discharge of this variant is according to how fashionable ransomware teams have been shifting their efforts to focus on and encrypt Linux hosts akin to ESXi servers. An ESXi server sometimes hosts a number of VMs, which in flip maintain vital information or companies for a corporation. The profitable encryption by ransomware of ESXi servers might due to this fact have a big influence on focused corporations. This pattern was spearheaded by ransomware households like REvil and DarkSide.
Suggestions
ESXi provides organizations a neater method to handle their servers. However ransomware operators are additionally mirroring the transition of organizations to platforms akin to ESXi. This improvement provides LockBit to the listing of ransomware households able to concentrating on Linux hosts typically and the ESXi platform particularly.
Whereas Linux variations are sometimes tougher to detect, implementing safety finest practices can nonetheless assist organizations reduce the potential for a profitable assault. Within the case of LockBit, holding techniques updated can forestall intrusions. It’s because LockBit has been recognized to make use of entry credentials stolen from weak servers and offered within the cybercriminal underground. VMware additionally gives suggestions for enhancing the safety of ESXi.
Organizations must also think about the next steps to mitigate ransomware threats:
Deploy cross-layered detection and response options. Discover options that may anticipate and reply to ransomware actions, methods, and actions earlier than the menace culminates. Development Micro Imaginative and prescient One™️, for instance, helps detect and block ransomware parts to cease assaults earlier than they’ll have an effect on an enterprise.
Create a playbook for assault prevention and restoration. Each an incident response (IR) playbook and IR frameworks assist organizations plan for completely different assaults.
Conduct assault simulations. Expose workers to reasonable cyberattack simulations that may assist decision-makers, safety personnel, and IR groups determine and put together for potential safety gaps and assaults.
Indicators of compromise (IOCs)
SHA256
f3a1576837ed56bcf79ff486aadf36e78d624853e9409ec1823a6f46fd0143ea
67df6effa1d1d0690c0a7580598f6d05057c99014fcbfe9c225faae59b9a3224
ee3e03f4510a1a325a06a17060a89da7ae5f9b805e4fe3a8c78327b9ecae84df
YARA rule:
rule Linux_Lockbit_Jan2022 {
meta:
description = “Detects a Linux model of Lockbit ransomware”
writer = “TrendMicro Analysis”
date = “2022-01-24”
hash1 = “038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4”
strings:
$xor_string_1 = “LockBit Linux/ESXi locker V:” xor(0x01-0xff)
$xor_string_2 = “LockBit 2.0 the world’s quickest ransomware since 2019” xor(0x01-0xff)
$xor_string_3 = “Tox ID LockBitSupp” xor(0x01-0xff)
situation:
uint16(0) == 0x457f and filesize < 300KB and
filesize > 200KB and any of them
}
Tags
sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk