Posted on 01/25/2022 11:00:35 AM PST by ShadowAce
One of the most prolific families of ransomware now has additional Linux and VMware ESXi variants that have been spotted actively targeting organisations in recent months.
Analysis by cybersecurity researchers at Trend Micro identified LockBit Linux-ESXi Locker version 1.0 being advertised on an underground forum. Previously, LockBit ransomware – which was by far the most active ransomware family at one point last year – was focused on Windows.
LockBit has a reputation as one of the most sneaky forms of ransomware. And now the Linux and VMware ESXi variant means that the ransomware could potentially spread itself even further, encrypting a wider variety of servers and files – and driving up the pressure for a victim to give in and pay a ransom for the decryption key.
"The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers," said Junestherry Dela Cruz, threats analyst at Trend Micro.
"An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies."
By targeting Linux, LockBit is following in the footsteps of other ransomware groups, including REvil and DarkSide, but the popularity of LockBit ransomware-as-a-service means that attacks could have a much wider impact and organisations should be aware of the potential threat.
Like many other ransomware attacks, LockBit steals information from compromised networks and threatens to publish it if the ransom isn't received – and that ransom demand can amount to millions of dollars.
As with previous versions of LockBit, the Linux variant features a note from the attackers that attempts to lure people into handing over corporate account details to further spread ransomware, in exchange for a cut of the profits – although it's unclear if attempting to attract insiders to give up secrets in this way actually works.
Researchers suggest that ransomware is harder to detect on Linux, but that implementing best security practices still provides the best chance of preventing the network from falling victim to an attack.
This includes keeping systems up to date with the latest security patches to prevent intrusions, especially as LockBit is known to exploit vulnerable servers to help it spread. Those behind LockBit attacks have also been known to exploit stolen usernames and passwords, so if it's known that a password has been part of a data breach, it should be changed.
It's also recommended that multi-factor authentication is applied across the entire ecosystem in order to provide an additional layer of defence against attacks.
Ping.
What if all this ‘ransomware’ was actually the government?..................
Some of it is. I get 5-20 or so threat assessments each day, and at least one a day is a government actor.
In the engineering industry (like Huntsville, AL) so much of it is from Cheyna.
Russia is much higher, I’d say. Probably 40%. China is easily 50%.
Just when you thought it was safe to go back in the water...
.
Almost all ransomware is either sponsored by a government or tolerated by officials in exchanged for a percentage payment.
"Everybody" in a local scene knows who the gangs are. Nobody cares as long as the payments keep coming. "Nobody saw nothin'".
Once in a while, the American government reaches a deal with the foreign government and a couple of low-level gangsters get extradited, or an operation gets shut down.
Or somebody makes a score that is too big and destructive to ignore. In those cases, perhaps a basket of heads gets delivered to a field office somewhere. Or maybe that is just a rumor to keep the others in line.
Thank you... :)
OK, so here is the difference my friend. Ransomware in this case is different than Ransomware for MS. With MS they lock your system so that it is unusable. This is “We see what you are doing” and they threaten to share that information.
For a personal desktop user this is not really a concern. A diligent astute Linux desktop user would be able to revert their system back and rid themselves of the spyware that allowed them to get this “information”.
It is more “spyware” than it is “ransomware”. Big companies might have to worry about illegal operations or privileged information, but personal users not much at all. I would be about as concerned with this as when I get the bogus emails that claim they caught me watching porn and threaten to tell my wife. lol
When they do not even know my wife...
“But Veronica has noticed that the warranty on my car is
about to expire! She only wants to help me with a once
in a lifetime offer! /s “
First I tell them how eager I am to have my warranty updated. Then I tell them my cars are a 67 Camaro, a 57 Chevy Bel Air and a 48 Chevy 3/4 ton pickup. You can hear their jaws drop. Then for some reason they hang up.
There is no 100% secure way to find public applications, but at least one can farm out the security patch war to their cloud provider by going severless with aws lambda and dynamodb and the like. Plus it scales automatically and is dirt cheap.
There's a vaccine for that.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.