Ransomware. Nasty. But how to build defenses against it? Rather – what should be protected first and foremost? Often, Windows workstations, Active Directory servers, and other Microsoft products are the prime candidates. And this approach is usually justified. But we should bear in mind that cybercriminal tactics are constantly evolving, and malicious tools are now being developed for Linux servers and virtualization systems. In 2022, the total number of attacks on Linux systems increased by about 75%.
The motivation behind such attacks is clear: the popularity of open source and virtualization is growing, which means there are more and more servers running Linux or VMWare ESXi. These often store a lot of critical information which, if encrypted, can instantly cripple a company’s operations. And since the security of Windows systems has traditionally been the focus of attention, non-Windows servers are proving to be sitting ducks.
Attacks in 2022–2023
- In February 2023, many owners of VMware ESXi servers were hit by the ESXiArgs ransomware Exploiting the CVE-2021-21974 vulnerability, attackers disabled virtual machines and encrypted .vmxf, .vmx, .vmdk, .vmsd and .nvram files.
- The infamous Clop gang — noted for a large-scale attack on vulnerable Fortra GoAnywhere file-transfer services through CVE-2023-0669 — was spotted in December 2022 using (albeit in a limited way) a Linux version of its ransomware. It differs significantly from its Windows counterpart (lacking some optimizations and defensive tricks), but is adapted to Linux permissions and user types and specifically targets Oracle database folders.
- A new version of the BlackBasta ransomware is designed specially for attacks on ESXi hypervisors. The encryption scheme uses the ChaCha20 algorithm in multi-threaded mode involving multiple processors. Since ESXi farms are typically multiprocessor, this algorithm minimizes the time taken to encrypt the entire environment.
- Shortly before its breakup, the Conti group of hackers also armed itself with ESXi-targeting ransomware. Unfortunately, given that much of Conti’s code was leaked, their developments are now available to a broad range of cybercriminals.
- The BlackCat ransomware, written in Rust, is also capable of disabling and deleting ESXi virtual machines. In other respects, the malicious code differs little from the Windows version.
- The Luna ransomware, which we detected in 2022, was cross-platform to begin with, able to run on Windows, Linux and ESXi systems. And, of course, the LockBit group could hardly fail to ignore the trend: it too began to offer ESXi versions of their malware to affiliates.
- As for older (but, alas, effective) attacks, there were also the RansomEXX and QNAPCrypt campaigns, which hit Linux servers big-time.
Server-attack tactics
Penetrating Linux servers is usually based on exploitation of vulnerabilities. Attackers can weaponize vulnerabilities in the operating system, web servers and other basic applications, as well as in business applications, databases, and virtualization systems. As demonstrated last year by Log4Shell, vulnerabilities in open-source components require special attention. After an initial breach, many ransomware strains use additional tricks or vulnerabilities to elevate privileges and encrypt the system.
Priority safeguards for Linux servers
To minimize the chances of attacks affecting Linux servers, we recommend:
- Promptly patching vulnerabilities
- Minimizing the number of open internet-facing ports and connections
- Deploying specialized security tools on servers to protect both the operating system itself as well as virtual machines and containers hosted on the server. Read more about Linux protection in our dedicated post.