REvil Ransomware Ported to Linux for Targeted Attacks
Security researchers informed the infosec community that the REvil ransomware, the malware responsible for the recent $11 million ransomware job on JBS Foods, has just received a Linux port. According to the security experts working with AT&T Cybersecurity, the unexpected new port is an attempt on part of the hackers to target VMWare's ESXi VM management platform as well as NAS devices that use Linux as their operating system.
Threatpost reported that the AT&T researchers have spotted four different samples of the Linux-based version of the REvil ransomware. The researchers received a tip from the people behind the ID Ransomware platform, known collectively as MalwareHunterTeam on social media platforms.
The samples analyzed by researchers were in the ELF-64 format - a standard executable format for the Linux-based operating systems.
The reason why this discovery is considered interesting is that in the general consciousness Unix and Linux-based operating systems are never associated with malware. That is both because of the limited number of systems and networks that run Linux compared to Windows-based ones, as well as due to the fact that Linux has always been considered more secure and harder to breach, as vulnerabilities are addressed almost instantly by vigilant members of the developer community.
That is not to say that there has never been malware that affects Linux based operating systems in the past, it's just that the ratio of Linux-based to Windows-based malware is a tiny fraction. It bears repeating that earlier this year the DarkSide group also ported its own ransomware to Linux. The focus was the same - VMWare's ESXi infrastructure.
There are a number of similarities between the Linux and Windows-based versions of REvil. Those include the same extensions appended to encrypted files, shared identifier given to third party affiliates as well as the Base64 encoding used in the string containing the public key.
How the weird competition between the REvil and DarkSide threat actor groups pans out on the new Linux front remains to be seen.
REvil Ransomware Cybercrooks Launch New Attacks on Hundreds of Businesses During July 4th Holiday
The REvil Ransomware attacks were discovered on Friday, July 2nd right after REvil hackers used a software update to attack Kaseya’s remote desktop services. The attack prompted the company to shut down its SaaS servers to protect customer data. The precautionary measures taken potentially reduced the dire consequences of the attack. Other companies attacked may not have been so lucky as ransomware threats like REvil lock data through encryption and leave some organizations no other choice but to pay a substantial ransom fee potentially in the millions of dollars to get there data back.
