REvil’s Linux Version Targets VMware ESXi Virtual Machines

Organizations running ESXi environments that thought they had somehow escaped the attention of REvil ransomware operators are in for a rude awakening – the ransomware-as-a-service’s repertoire now includes a Linux version aimed squarely at VMware ESXi virtual machines, according to researchers at MalwareHunterTeam.

Vitali Kremez at Advanced Intel examined the findings and tweeted some of the characteristics of the REvil’s Linux version:

  • Leverages “esxcli” CLI component to kill VMs via world id
  • affiliate “sub”:”7864″ | usual struct
  • GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.4) 4.8.4

This addition to the REvil arsenal makes the already formidable, dangerous and increasingly popular ransomware even more dangerous.

“The REvil update to support Linux broadens their attack vector tremendously; with a number of servers that are either Linux or based on Linux, they are no longer limited to a single operating system target and as such, can branch out into others easily,” said Shawn Smith, director of infrastructure at nVisium.

“If nothing else, it’s a growth in capability for an already active and prolific group, with some interesting features,” Sean Nikkel, senior cyber threat intel analyst at Digital Shadows, said.

The ransomware-as-a-service model, like as-a-service business models everywhere, requires the “business” to remain fresh. “With the ‘as-a-service’ business model, REvil has to offer new capabilities,” said Dirk Schrader, global vice president, security research, at New Net Technologies. “That these are directed against the market leader for virtualization should be no surprise, given the growth in its usage.”

It could lead to better ROI for the attackers, as well. By targeting those using the technology, mainly businesses with a path toward digitalization, there “is a higher dependency and therefore a greater likelihood to pay a ransom,” Schrader said.

While alarming, that REvil would target virtual machines is not surprising. Bad actors know that organizations are moving infrastructure to VMware VMs and hybrid clouds “for cost savings and flexibility,” said Karl Steinkamp, director, PCI product and quality assurance at Coalfire. “Not to be outdone, these bad actors upgraded their platform offering in the REvil ransomware to target these Linux ESXi hosts.”

That would allow bad actors to go after Linux systems on multiple clouds as well as target on-premises systems, Steinkamp explained, noting that it’s “an unfortunate but expected outcome given the popularity of cloud offerings.”

Other ransomware, such as RegretLocker, have already targeted ESXi hypervisors. “As we continue to modernize and become increasingly more reliant on virtual machines and containerized systems, we’ll start seeing more attacks targeting such systems, and more specifically, targeting the underlying infrastructure that they use to run; in this case, that’s ESXi,” said Smith.

Within the last year, in fact, ESXi has found itself the target of “notable groups such as RansomEXX, DarkSide, Babuk Locker, and the former Maze group,” said Nikkel. “Not to mention, adversaries have been attacking virtual machines for years prior to these incidents.”

And that assault is likely to continue–virtual machines are just too lucrative. “It’s realistically possible we’ll continue to see other groups mirror these developments or improve their own wares,” said Nikkel. “A virtual machine typically has the same software running as a physical server, and if it’s vulnerable, there’s a good chance someone will exploit it.”

The good news, he said, is that VMware has provided updates for the vulnerabilities disclosed last spring. Now would be a good time for organizations that have been slow to patch to pick up the pace.

And “despite how impactful the REvil ransomware package offering is, in this case, it may be somewhat blunted because the first command the malware runs is disabled by default on ESXi systems,” said Steinkamp. “Attackers will need to find another way into ESXi systems if this configuration hasn’t been enabled on the systems.”

What’s more, “access to run commands from the malware is dependent upon gaining administrator permissions,” he explained. “Organizations that maintain strong configuration management and access control will likely fare much better in these instances.”

Smith advises companies to “keep proper backups and well-tested recovery plans so if an attack like this one targets your systems, you’ve at least got resilient BCP and DR plans to help recover, monitor and manage moving forward.”

 

Avatar photo

Teri Robinson

From the time she was 10 years old and her father gave her an electric typewriter for Christmas, Teri Robinson knew she wanted to be a writer. What she didn’t know is how the path from graduate school at LSU, where she earned a Masters degree in Journalism, would lead her on a decades-long journey from her native Louisiana to Washington, D.C. and eventually to New York City where she established a thriving practice as a writer, editor, content specialist and consultant, covering cybersecurity, business and technology, finance, regulatory, policy and customer service, among other topics; contributed to a book on the first year of motherhood; penned award-winning screenplays; and filmed a series of short movies. Most recently, as the executive editor of SC Media, Teri helped transform a 30-year-old, well-respected brand into a digital powerhouse that delivers thought leadership, high-impact journalism and the most relevant, actionable information to an audience of cybersecurity professionals, policymakers and practitioners.

teri-robinson has 196 posts and counting.See all posts by teri-robinson