REvil ransomware producers have ported their malware over to Linux to expand their campaigns. The primary objective appears to be to infect VMware’s ESXi virtual machine management software and Network-attached storage (NAS) devices. Researchers at AT&T’s Alien Labs have identified four samples in the wild.
Whilst not unheard of, Linux attacks are rarer than compromises on Windows systems as they are far more likely to yield a higher return of investment. However, the fact that the ESXi hypervisor runs on Linux, it makes sense that the developers would expand their operations in order to encrypt operation critical virtual machines.
The impact:
If the REvil ransomware strain is to infect an ESXi host instance, the consequences can include:
- Loss of time, money and reputation
- No guarantee that information under the attacker’s control will remain confidential and undisclosed to third parties
- No guarantees that data will be decrypted
- Potential loss of backups
- The attackers could deploy a means with which to maintain persistence on the compromised system
The operators have charged a ransom as high as $11 million (approximately £7 million, GBP). It is most certainly in a business’s best interest to ensure that an attacker has difficulty deploying their malware onto its systems.
The remediation:
Whilst there is no specific remediation for this sample, as it is a strain of malware and not a vulnerability, it is important to be prepared. Ensure all ESXi instances are security hardened, this includes:
- Keeping the host up to date and installing all necessary patches
- Do no use unofficial sources to upgrade ESXi components
- Disable copy and paste functionality between Guest and Host operating systems by default
- Remove unnecessary CD-ROM, Floppy drives and ISO files from being connected to virtual machines
- Limit the number of simultaneous connections
- Prevent a process and users from being able to disconnect devices
For more information on good security practices in relation to ESXi, please see the securing hosts documentation.
Source: Threat Post