This article examines how ransomware families targeting Linux and VMware ESXi have evolved, often reusing Conti, Babuk, and LockBit code to achieve cross-platform parity and rapid deployment. It highlights several Linux/ESXi payloads (MONTI Locker, Akira, Trigona, Abyss Locker) and the techniques they use to access and encrypt virtualized environments. #MONTILocker #Akira #Trigona #AbyssLocker #Conti #LockBit #VMwareESXi
Keypoints
- Linux/ESXi ransomware now releases payloads with feature parity to Windows versions, reducing gaps between platform deployments.
- Operatives commonly reuse and modify code from Conti, Babuk, and LockBit to create new Linux/ESXi capabilities.
- Attackers typically gain access via ESXi vulnerabilities and weak credentials, enabling rapid encryption of virtual machines.
- MONTI Locker, Akira, Trigona, and Abyss Locker are highlighted for their Linux/ESXi-focused techniques and command-line controls.
- Payloads rely on command-line parameters and Linux tools (e.g., esxcli) to manage encryption and VM targeting.
- Some families offer wiper-like options (e.g., Trigona’s /erase) to destroy data beyond recovery, illustrating strategic diversifications in the toolkit.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers exploit vulnerabilities in ESXi or other publicly accessible services to gain access. “Typically, attackers exploit vulnerabilities in ESXi, weak credentials, or other security vulnerabilities to gain access to the virtualized environment.”
- [T1078] Valid Accounts – Use of weak credentials to gain access to the virtualization environment. “weak credentials, or other security vulnerabilities to gain access to the virtualized environment.”
- [T1059.004] Unix Shell – Execution occurs via command-line parameters and scripts on Linux payloads (e.g., MONTI Locker). “Available command-line parameters for MONTI Locker include:”
- [T1486] Data Encrypted for Impact – Ransomware encrypts Linux/ESXi-hosted VMs and files. “capable of targeting both Linux and VMWare ESXi environments, with the aim of encrypting the virtual machines (VMs) hosted on ESXi servers…”
- [T1485] Data Destruction – Some variants include data-wiping capabilities using an /erase option. “The /erase option will fully delete the file, making it essentially non-recoverable.”
Indicators of Compromise
- [Hash] Linux ransomware file samples – MONTI Locker: a0c9dd3f3e3d0e2cd5d1da06b3aac019cdbc74ef, f1c0054bc76e8753d4331a881cdf9156dd8b812a; Akira: 9180ea8ba0cdfe0a769089977ed8396a68761b40; Trigona: 0144800f67ef22f25f710d181954869f1d11d471, 55f47e767dd5fdd1a54a0b777b00ffb473acd329, 62e4537a0a56de7d4020829d6463aa0b28843022; Abyss Locker: 40ceb71d12954a5e986737831b70ac669e8b439e