Skip to main content

REvil ransomware group deploys Linux encryptor against VMs

Lock on Laptop Screen
(Image credit: Future)

Cybersecurity experts have discovered that the threat actors behind the notorious REvil ransomware have added a Linux version to their arsenal that's designed to attack VMware ESXi virtual machines.

With the adoption of cloud computing technologies like containers and VMs, threat actors have started evolving their attack vectors to target this emerging platform, with VMware ESXi now in the crosshairs.

News of the Linux version of REvil’s Sodinokibi ransomware was shared by researchers from MalwareHunterTeam.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

Bleeping Computer adds that this development follows the discovery of a REvil ransomware version that attacks NAS devices by Yelisey Boguslavskiy of Advanced Intel earlier this year.

Virtually real threat

Advanced Intel's Vitali Kremez, who analyzed the new REvil Linux variant, told Bleeping Computer it exhibits the same characteristics and configuration options used by the more common Windows variant.

Emsisoft CTO Fabian Wosar added that other ransomware operations, including Babuk, RansomExx/Defray, Mespinoza, GoGoogle, DarkSide, and Hellokitty, also have Linux variants in their arsenal to attack ESXi VMs.

"The reason why most ransomware groups implemented a Linux-based version of their ransomware is to target ESXi specifically," said Wosar.

As well as posing a threat to large enterprises, the development is also worrisome for small and medium businesses (SMBs), which have been among the largest adopters of virtualization for its cost saving advantages. The cost of business servers quickly adds up and virtualization technologies like ESXi aren’t just budget friendly, but also reduce the time it takes to provision and deploy servers on demand. 

When it comes to guarding against these attacks, security experts have long suggested that ransomware operators and other threat actors work by exploiting security weaknesses in their targets. This means that a well-planned and implemented security strategy is essential, irrespective of security software in place.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.