fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Linux Version of LockBit Ransomware Targets VMware ESXi Servers

Linux Version of LockBit Ransomware Targets VMware ESXi Servers

LockBit is the latest ransomware gang whose Linux encryptor has been discovered to be focusing on the encryption of VMware ESXi virtual machines.

The enterprise is increasingly moving to virtual machines to save computer resources, consolidate servers, and for easier backups.

Due to this, ransomware gangs have evolved their tactics to create Linux encryptors that specifically target the popular VMware vSphere and ESXi virtualization platforms over the past year.

Also Read: Computer Misuse Act Singapore: The Truth And Its Offenses

While ESXi is not strictly Linux, it does share many of its characteristics, including the ability to run ELF64 Linux executables.

Lockbit targets VMware ESXi servers

In October, LockBit began promoting the new features of their Ransomware-as-a-Service operation on the RAMP hacking forums, including a new Linux encryptor that targets VMware ESXi virtual machines.

In a new report, Trend Micro researchers analyzed the ransomware gang’s Linux encryptor and explained how it’s used to target VMWare ESXi and vCenter installations.

Linux encryptors are nothing new, with BleepingComputer reporting on similar encryptors in the past from HelloKittyBlackMatterREvilAvosLocker, and the Hive ransomware operations.

Like other Linux encryptors, LockBits provides a command-line interface allowing affiliates to enable and disable various features to tailor their attacks.

These features include the ability to specify how large a file and how many bytes to encrypt, whether to stop running virtual machines, or wipe free space after, as shown by the image below.

LockBit Linux encryptor command-line arguments
LockBit Linux encryptor command-line arguments
Source: Trend Micro

However, what makes the LockBit linux encryptor stand out is the wide use of both VMware ESXI and VMware vCenter command-line utilities to check what virtual machines are running and to shut them down cleanly so they are not corrupted while being encrypted.

Also Read: Personal Data Websites: 3 Things That You Must Be Informed

The full list of commands seen by Trend Micro in LockBit’s encryptor are listed below:

CommandDescription
vm-support –listvms Obtain a list of all registered and running VMs
esxcli vm process list Get a list of running VMs 
esxcli vm process kill –type   force –world-id Power off the VM from the list 
esxcli storage filesystem list Check the status of data storage 
/sbin/vmdumper %d suspend_v Suspend VM 
vim-cmd hostsvc/enable_ssh Enable SSH 
vim-cmd hostsvc/autostartmanager/enable_autostart false Disable autostart 
vim-cmd hostsvc/hostsummary grep cpuModel Determine ESXi CPU model

Trend Micro states that the encryptor uses AES to encrypt files and elliptic-curve cryptography (ECC) algorithms to encrypt the decryption keys.

With the widespread use of VMware ESXI in the enterprise, all network defenders and security professional should expect that every large ransomware operation has already developed a Linux variant.

By making this assumption, admins and security professionals can create appropriate defenses and plans to protect all devices in their networks, rather than just Windows devices.

This is especially true for the LockBit operation, which has become the most prominent ransomware operation since REvil shut down and prides itself on its encryptors’ speed and feature set.

It is also vital to remember that as much as we are watching ransomware gangs, they are also watching us back.

This means that they monitor researchers’ and journalists’ social feeds for the latest tactics, defenses, and vulnerabilities that they can then use against corporate targets.

Due to this, ransomware gangs are constantly evolving their encryptions and tactics to try and stay one step ahead of security and Windows admins.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us