The ransomware gang behind the highly publicized attack on CD Projekt Red uses a Linux variant that targets VMware’s ESXi virtual machine platform for maximum damage, BleepingComputer reports.

Security researcher MalwareHunterTeam found numerous Linux ELF64 versions of the HelloKitty ransomware targeting ESXi servers and the virtual machines running on them. BleepingComputer analyzed samples of this new variant and confirmed that the malware attempts to shut down virtual machines running on the targeted servers to encrypt files, preventing the files from being locked, according to SecurityAffairs. Once the machines are shut down, the ransomware will encrypt files. 

Last month, MalwareHunterTeam also found a Linux version of the REvil ransomware that targets ESXi servers and used the esxcli command as part of the encryption process. Dirk Schrader, Global Vice President, Security Research at New Net Technologies (NNT), now part of Netwrix, a provider of change management software, explains, “The motivation in this isn’t Linux, it is the aspect that ESXi servers are such a valuable target, and that malware developers went that extra mile to add Linux as the origin of many virtualization platforms to their functionality. This welcomes the side effect of being able to attack any Linux machine. A single ESXi 7 server can host up to 1024 VMs, in theory, but for the attacker, it is the combination of several VMs and their importance that makes each ESXi server a worthy target. Attacking and encrypting a device that runs 30 or so critical services for an organization is promising results (ransom paid). For those operating ESXi, the best defense is to have tight monitoring in place that alerts about any change happening to the ESXi, its filesystem and configuration settings. It should be hardened anyway.”

However, the tricky part about defending against attacks like these, says Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solution, “which are already against a variety of software and hardware, means having a good baseline on what your assets are, how they’re patched, how they’re secured, what other dependencies they have, and who’s got access to them. It’s a laundry list of tasks to stay secured, but organizations must handle most or all of these best practices, addressing the low-hanging fruit, which is the favorite avenue of attack for threats. Otherwise, they may end up in the crosshairs of yet another ransomware attack.”

The increasing frequency of attacks on Linux and Linux-based systems can be attributed to the rising use of the virtual machine and containerized infrastructure since many of the underlying systems that power virtual machines and containers are running Linux-based operating systems, says Shawn Smith, Director of Infrastructure at nVisium, a Falls Church, Virginia-based application security provider.

“Attacking the infrastructure that houses VMs or containers can yield a much higher reward for time invested; for example, if you compromise a host that is hosting several other systems, you have effectively compromised all of those systems as well,” Smith adds. “Since attackers are now targeting Linux-based systems that house VM and container infrastructure, it’s relatively easy for them to adapt their malware to also attack normal Linux workstations and servers.”

Smith believes we’ll see “many more equal opportunity offenders that aren’t targeting specific kinds of systems but are targeting everything under the sun that they can profit from using such adaptable techniques.”