{
	"id": "5dd4b8d8-1374-4562-bcb6-9d61552d8671",
	"created_at": "2026-04-06T00:06:53.954033Z",
	"updated_at": "2026-04-10T03:21:15.265849Z",
	"deleted_at": null,
	"sha1_hash": "36edd086e6f26be8543d7f4e5cc3888c6a4dde96",
	"title": "Analysis and Impact of LockBit Ransomware’s First Linux and VMware ESXi Variant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 771117,
	"plain_text": "Analysis and Impact of LockBit Ransomware’s First Linux and\r\nVMware ESXi Variant\r\nBy By: Junestherry Dela Cruz Jan 24, 2022 Read time: 3 min (755 words)\r\nPublished: 2022-01-24 · Archived: 2026-04-05 15:26:30 UTC\r\nIn our monitoring of the LockBit ransomware’s intrusion set, we found an announcement for LockBit Linux-ESXi\r\nLocker version 1.0 on October 2021 in the underground forum \"RAMP,\" where potential affiliates can find it. This\r\nsignifies the LockBit ransomware group’s efforts to expand its targets to Linux hosts. Since October, we have\r\nbeen seeing samples of this variant in the wild.\r\nThis variant could have a big impact on victim organizations because of how ESXi, VMware’s hypervisor helps in\r\nmanaging servers.\r\nAnalysis of the variant\r\nLockbit Linux-ESXi Locker version 1.0 uses a combination of Advanced Encryption Standard (AES) and elliptic-curve cryptography (ECC) algorithms for data encryption. From our analysis, we can see that this version of\r\nLockBit can accept parameters, as detailed in Figure 1.\r\nFigure 1. Parameters accepted by the Linux-ESXi version of LockBit\r\nThis version of the ransomware has logging capabilities and can log the following information:\r\nProcessor information\r\nVolumes in the system\r\nVirtual machines (VMs) for skipping\r\nTotal files\r\nTotal VMs\r\nEncrypted files\r\nhttps://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html\r\nPage 1 of 6\n\nEncrypted VMs\r\nTotal encrypted size\r\nTime spent for encryption\r\nThis variant also contains commands necessary for encrypting VM images hosted on ESXi servers, as listed in\r\nTable 1.\r\nCommand Description\r\nvm-support --listvms \r\nObtain a list of all registered and running\r\nVMs\r\nesxcli vm process list  Get a list of running VMs \r\nesxcli vm process kill --type   force --world-id  Power off the VM from the list \r\nesxcli storage filesystem list  Check the status of data storage \r\n/sbin/vmdumper %d suspend_v  Suspend VM \r\nvim-cmd hostsvc/enable_ssh  Enable SSH \r\nvim-cmd hostsvc/autostartmanager/enable_autostart\r\nfalse \r\nDisable autostart \r\nvim-cmd hostsvc/hostsummary grep cpuModel  Determine ESXi CPU model\r\nTable 1. Commands for encrypting VM images hosted on ESXi servers\r\nThe ransom note is typical of LockBit attacks. It advertises the speed of LockBit 2.0, lists down the leak sites\r\nwhere the LockBit group threatens to publish stolen information, and ends with a recruitment ad for potential\r\ninsiders enticing them with “millions of dollars” in exchange for access to valuable company data.\r\nhttps://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html\r\nPage 2 of 6\n\nFigure 2. A ransom note of the Linux-ESXi version of LockBit\r\nLockBit's operators typically threaten to publish data they stole from their victims on their leak site once their\r\ntargeted organizations have failed to comply with their ransom demands.\r\nhttps://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html\r\nPage 3 of 6\n\nFigure 3. A screenshot of LockBit 2.0’s leak site\r\nImpact of the variant\r\nThe release of this variant is in line with how modern ransomware groups have been shifting their efforts to target\r\nand encrypt Linux hosts such as ESXi servers. An ESXi server typically hosts multiple VMs, which in turn hold\r\nimportant data or services for an organization. The successful encryption by ransomware of ESXi servers could\r\ntherefore have a large impact on targeted companies. This trend was spearheaded by ransomware families like\r\nREvil and DarkSide.\r\nRecommendations\r\nESXi offers organizations an easier way to manage their servers. But ransomware operators are also mirroring the\r\ntransition of organizations to platforms such as ESXi. This development adds LockBit to the list of ransomware\r\nfamilies capable of targeting Linux hosts in general and the ESXi platform in particular.\r\nWhile Linux versions are typically harder to detect, implementing security best practices can still help\r\norganizations minimize the possibility of a successful attack. In the case of LockBit, keeping systems up to date\r\ncan prevent intrusions. This is because LockBit has been known to use access credentials stolen from vulnerable\r\nservers and sold in the cybercriminal underground. VMware also provides recommendations for enhancing the\r\nsecurity of ESXi.\r\nOrganizations should also consider the following steps to mitigate ransomware threats:\r\nhttps://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html\r\nPage 4 of 6\n\nDeploy cross-layered detection and response solutions. Find solutions that can anticipate and respond to\r\nransomware activities, techniques, and movements before the threat culminates. Trend Micro Vision\r\nOne™️, for example, helps detect and block ransomware components to stop attacks before they can affect\r\nan enterprise.\r\nCreate a playbook for attack prevention and recovery. Both an incident response\r\n(IR) playbook and IR frameworks help organizations plan for different attacks.\r\nConduct attack simulations. Expose employees to realistic cyberattack simulations that can help decision-makers, security personnel, and IR teams identify and prepare for potential security gaps and attacks.\r\nIndicators of compromise (IOCs)\r\nSHA256\r\nf3a1576837ed56bcf79ff486aadf36e78d624853e9409ec1823a6f46fd0143ea\r\n67df6effa1d1d0690c0a7580598f6d05057c99014fcbfe9c225faae59b9a3224\r\nee3e03f4510a1a325a06a17060a89da7ae5f9b805e4fe3a8c78327b9ecae84df\r\nYARA rule:\r\nrule Linux_Lockbit_Jan2022 {\r\n   meta:\r\n      description = \"Detects a Linux version of Lockbit ransomware\"\r\n      author = \"TrendMicro Research\"\r\n      date = \"2022-01-24\"\r\n      hash1 = \"038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4\"\r\n     strings:\r\n        $xor_string_1 = \"LockBit Linux/ESXi locker V:\" xor(0x01-0xff)\r\n        $xor_string_2 = \"LockBit 2.0 the world's fastest ransomware since 2019\" xor(0x01-0xff)\r\n        $xor_string_3 = \"Tox ID LockBitSupp\" xor(0x01-0xff)\r\n    condition:\r\n      uint16(0) == 0x457f and filesize \u003c 300KB and\r\n      filesize \u003e 200KB and any of them\r\n}\r\nTags\r\nhttps://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html\r\nPage 5 of 6\n\nSource: https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.ht\r\nml\r\nhttps://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html"
	],
	"report_names": [
		"analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434013,
	"ts_updated_at": 1775791275,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/36edd086e6f26be8543d7f4e5cc3888c6a4dde96.pdf",
		"text": "https://archive.orkl.eu/36edd086e6f26be8543d7f4e5cc3888c6a4dde96.txt",
		"img": "https://archive.orkl.eu/36edd086e6f26be8543d7f4e5cc3888c6a4dde96.jpg"
	}
}