The REvil ransomware operation have added a Linux encryptor to their arsenal that's designed to target and encrypt Vmware ESXi virtual machines.

BleepingComputer reports that security researcher MalwareHunterTeam found a Linux version of the REvil ransomware (aka Sodinokibi)) that also appears to target ESXi servers.

Advanced Intel's Vitali Kremez told BleepingComputer it is an ELF64 executable and includes the same configuration options utilized by the more common Windows executable. Kremez says this is the first know time the Linux variant has been publicly available since it was released.

Shawn Smith, Director of Infrastructure at nVisium, a Falls Church, Virginia-based application security provider, says, "The REvil update to support Linux broadens their attack vector tremendously; with a number of servers that are either Linux or based on Linux, they are no longer limited to a single operating system target and as such, can branch out into others easily. Attackers have already begun targeting virtual machines, such as the RegretLocker from last year."

According to Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, "Within the last year, ESXi has been targeted by notable groups such as RansomEXX, DarkSide, Babuk Locker, and the former Maze group. Not to mention, adversaries have been attacking virtual machines for years prior to these incidents. If nothing else, it's a growth in capability for an already active and prolific group, with some interesting features."

Nikkel argues that it's possible other threat actors will continue to mirror these new developments to improve their craft. "A virtual machine typically has the same software running as a physical server, and if it's vulnerable, there's a good chance someone will exploit it. The good news is that VMware released updates for the most recent vulnerabilities disclosed in Spring 2021; however, adversaries are likely taking advantage of organizations that may be slow to patch," Nikkel says.

As organizations continue to modernize and become increasingly reliant on virtual machines and containerized systems, there will be an increase in attacks targeting these systems, and more specifically targeting the underlying infrastructure that they use to run, which in this case is ESXi, Smith explains.

Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), now part of Netwrix, explains that it should be no surprise that these attacks are directed against the market leader for virtualization, given the growth in its usage. "Another factor are the group of targets using the technology, mainly businesses with a path towards digitalization, that is a higher dependency and therefor a greater likelihood to pay a ransom," he says.

"This attack on the virtual machine infrastructure is a good reminder that new avenues of attack are being created every day, and if an attack doesn't exist today, it's still a real possibility tomorrow. Always keep proper backups and well-tested recovery plans so if an attack like this one targets your systems, you've at least got resilient BCP and DR plans to help recover, monitor and manage moving forward," Smith adds. 

Schrader says the best advice he can offer for organizations running ESXi environments is to, "check their exposure, validate all accounts having access to the environment, and closely monitor for any change happening."