<— Back

Very Real Assault on Virtual ESXi: The Evolving Linux Ransomware Threat

Ransomware encryption of corporate ESXi deployments is not new; Babuk ransomware has targeted ESXi infrastructure on Windows. However, the most popular host OS for ESXi is actually Linux, and since Babuk’s source code leak, other ransomware offspring have recently come to the fore, particularly targeting Linux. 

Akira ransomware is believed to have initiated its campaign in late March 2023. Akira is based on Conti, and Conti was inspired by Babuk. The code most commonly reused between Babuk, Conti and Akira ransomware is the ChaCha encryption implementation. LockBit, the latest ransomware group to target Linux, has focused its attention on encrypting VMware ESXi virtual machines using AES. Another group called Royal Ransomware had also entered the Linux scene, switching in September 2022 to a new and innovative encryption module called “Zeon”.

ESXi on Linux provides a few golden infiltration opportunities for ransomware actors such as poorly-configured SSH and other services, high-impact RCE CVEs with respect to VMware itself like CVE-2021-21985 and CVE-2021-21986, and exploitation of the OpenSLP service running on port 427 (CVE-2021-21974). After the initial access, most of the ransomware use command line arguments to encrypt specific ESXi files. As described above, the LockBit, Royal and Akira ransomware have now been identified as prominent threats to ESXi systems hosted on Linux, having already made their mark in the Windows domain.

In this presentation we shall delve deep into the inner workings of the trio of Linux ransomware that target ESXi, exploring code/functionality similarities and disparities between their Windows and Linux flavours. We will also explore the methods for effectively mitigating these debilitating threats within a Linux-based ESXi environment.