We already know that ransomware is very nasty. But how do you build your defenses against it? Rather, what should you protect first and foremost? Often, Windows workstations, Active Directory servers and other Microsoft products are prime candidates, a strategy that is usually justified. But we should keep in mind that cybercriminals’ tactics are constantly evolving and that malicious tools are already being developed for Linux servers and virtualization systems. In fact, in 2022, the total number of attacks on Linux systems increased by approximately 75%.
The motivation behind these attacks is very clear: the popularity of open source and virtualization is on the rise, which means that more and more servers are running Linux or VMWare ESXi. These can store a wealth of critical information that, if encrypted, can instantly cripple a company’s operations. And, as the security of Windows systems has traditionally been the focus of attention, the rest of the servers are proving to be easy prey.
Attacks in 2022 and 2023
In February 2023, many VMware ESXi server owners were affected by the ESXiArgs ransomware outbreak. Exploiting vulnerability CVE-2021-21974, attackers disabled virtual machines and encrypted .vmxf, .vmx, .vmdk, .vmsd and .nvram files.
The notorious Clop group, known for a large-scale attack against the vulnerable Fortra GoAnywhere file transfer services via CVE-2023-0669, was detected in December 2022 using, albeit with limitations, a Linux version of its ransomware. This differs significantly from its Windows counterpart (it lacks some optimizations and defensive tricks), but adapts to Linux permissions and user types and specifically targets Oracle database folders.
A new version of BlackBasta ransomware is designed specifically for attacks on ESXi hypervisors. The encryption strategy uses the ChaCha20 algorithm in multi-threaded mode involving multiple processors. Since ESXi farms are typically multiprocessor, this algorithm minimizes the time required to encrypt the entire environment.
Shortly before its disintegration, the Conti cybercriminal group also armed itself with ransomware that targeted ESXi. Unfortunately, since much of Conti’s code ended up leaked, its developments are now in the hands of cybercriminals.
The BlackCat ransomware, written in Rust, can also disable and delete ESXi virtual machines. In other respects, the malicious code differs slightly from the Windows version.
The Luna ransomware, which we detected in 2022, was originally cross-platform, capable of running on Windows, Linux and ESXi systems. And, of course, the LockBit group could hardly ignore this trend and also started offering ESXi versions of its malware to affiliates.
As for the older (but unfortunately effective) attacks, there were also the RansomEXX and QNAPCrypt campaigns, which largely affected Linux servers.
Attack tactics against the server
To penetrate Linux servers, vulnerabilities generally have to be exploited. Attackers can weaponize these vulnerabilities within the operating system, web servers and other core applications, as well as corporate applications, databases and virtualization systems. As Log4Shell demonstrated last year, vulnerabilities in open source components require special attention. After an initial breach, many strains of ransomware use additional tricks or vulnerabilities to elevate privileges and encrypt the system.
Priority security measures for Linux servers
To minimize the possibilities of attacks affecting Linux servers, we recommend:
Fix vulnerabilities immediately.
Minimize the number of open Internet connections and ports.
Implement specialized server security tools to protect both the operating system itself and the virtual machines and containers hosted on the server. For more information on how to protect yourself in Linux, visit our specialized publication.