Trend Micro : Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant

Impact of the variant

The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like REvil and DarkSide.

Recommendations

ESXi offers organizations an easier way to manage their servers. But ransomware operators are also mirroring the transition of organizations to platforms such as ESXi. This development adds LockBit to the list of ransomware families capable of targeting Linux hosts in general and the ESXi platform in particular.

While Linux versions are typically harder to detect, implementing security best practices can still help organizations minimize the possibility of a successful attack. In the case of LockBit, keeping systems up to date can prevent intrusions. This is because LockBit has been known to use access credentials stolen from vulnerable servers and sold in the cybercriminal underground. VMware also provides recommendations for enhancing the security of ESXi.

Organizations should also consider the following steps to mitigate ransomware threats:

• Deploy cross-layered detection and response solutions. Find solutions that can anticipate and respond to ransomware activities, techniques, and movements before the threat culminates. Trend Micro Vision One™️, for example, helps detect and block ransomware components to stop attacks before they can affect an enterprise.
• Create a playbook for attack prevention and recovery. Both an incident response (IR) playbook and IR frameworks help organizations plan for different attacks.
• Conduct attack simulations. Expose employees to realistic cyberattack simulations that can help decision-makers, security personnel, and IR teams identify and prepare for potential security gaps and attacks.