LockBit is one of the most prolific ransomware families out in the threat landscape. And now, it just became more dangerous with a variant focused on Linux and VMware ESXi. Dubbed LockBit Linux-ESXi Locker version 1.0, the ransomware was found advertised on an underground forum.
Diving into details
This new version uses a combination of AES and ECC algorithms for encryption.
LockBit 1.0 has logging functionalities and can log processor information, VMs, total files, encrypted files and VMs, and time spent to encrypt, among others.
Moreover, it includes commands for encrypting VM images on ESXi servers.
However, the ransom note is similar to the ones associated with LockBit. It contains a list of leak sites and a recruitment ad for insiders interested in earning millions of dollars in exchange for company information.
Why this matters
The new version of LockBit entails that it can spread farther and encrypt a variety of devices and files. This, in turn, would increase the pressure on victims to pay the ransom. Furthermore, an ESXi server hosts several VMs and a successful encryption indicates a massive impact on victim organizations.
The ransomware gang claimed to have attacked the Ministry of Justice of France and stolen thousands of files.
While details are limited, LockBit’s official website states that the Ministry has 13 days to pay the ransom or the data will be leaked on February 10.
Not only this, the group has also claimed to have hit major enterprises in Germany, Spain, France, Italy, and the U.K.
The bottom line
This latest LockBit version signifies that the threat group is following in the footsteps of other ransomware groups, such as REvil, BlackMatter, HelloKitty, AvosLocker, and Hive ransomware. Nevertheless, the popularity of the LockBit RaaS may result in more widespread attacks and impact on victims. Researchers recommend that while detecting ransomware on Linux is challenging, implementing adequate security controls is the best way to stay protected from the burgeoning threat that is LockBit.