While monitoring of the LockBit ransomware’s intrusion set, Trend Micro researchers found an announcement for LockBit Linux-ESXi Locker version 1.0 on October 2021 in the underground forum “RAMP,” where potential affiliates can find it. This signifies the LockBit ransomware group’s efforts to expand its targets to Linux hosts. Since October, we have been seeing samples of this variant in the wild.
This variant could have a big impact on victim organizations because of how ESXi, VMware’s hypervisor helps in managing servers.
Analysis of the variant
Lockbit Linux-ESXi Locker version 1.0 uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption.
Source: Trend Micro