Trend Micro researchers have detailed new support gained by the LockBit ransomware group – Encryption of Linux virtual machines.

As per them, LockBit’s new Linux encryptor is aimed at encrypting VMWare ESXi and vCenter installations, through AES. Also, there are a lits of features from finding the nature of VM to clean swiping it, provided by LockBit ransomware to its affiliates.

LockBit Ransomware’s New Feature

After the fall of REvil ransomware last year, LockBit is one of the prominent gangs that rose to popularity. Boasting on the features of fast encryption, LockBit works on Ransomware-as-a-service model, earning through its encryption malware rented to affiliate hackers.

While most of its tools are aimed at targeting Windows machines till now, researchers at Trend Micro have discovered a new attacking vector – encryption of Linux virtual machines – added to LockBit’s arsenal. As per them, the group’s malware is now capable of compromising VMWare ESXi and vCenter installations.

This has been advertising in RAMP hacking forums since October last year, says, researchers. As per them, the new support will let affiliates enable and disable attacking features through a simple command-line interface, with functions like

  • Identifying a VM,
  • Start and stop running VMs,
  • Specifying how large a file can be,
  • Specifying the number of bytes that can be encrypted,
  • Wiping out the space altogether, etc.

Here’s a list of all the functions that a LockBit affiliate can perform on a target device;

Command Description
vm-support –listvms Obtain a list of all registered and running VMs
esxcli vm process list Get a list of running VMs
esxcli vm process kill –type   force –world-id Power off the VM from the list
esxcli storage filesystem list Check the status of data storage
/sbin/vmdumper %d suspend_v Suspend VM
vim-cmd hostsvc/enable_ssh Enable SSH
vim-cmd hostsvc/autostartmanager/enable_autostart false Disable autostart
vim-cmd hostsvc/hostsummary grep cpuModel Determine ESXi CPU model


Researchers said that LockBit’s Linux encryptor uses AES to encrypt files and the elliptic-curve cryptography (ECC) algorithms for encrypting the decryption keys. And they have grown their attacking tools, it’s advised to the system admins and security teams to make their servers stand against Linux exploits coming from ransomware of such, and be vigilant on attacks.


Please enter your comment!
Please enter your name here