IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Linux-based multi-cloud environments facing increased ransomware attacks

VMware researchers claim not enough effort is being spent on developing countermeasures for attacks on the cloud's most popular operating system

Research from VMware Threat Analysis Unit (VMware TAU) has revealed cyber attackers are increasingly targeting Linux-based multi-cloud environments to install malware such as ransomware, remote access tools (RATs), and cryptominers.

Ransomware operators have evolved recently and are now targeting Linux host images used to execute workloads in virtualised environments, the researchers said, with common ransomware families spotted in compromised environments including Defray777 and DarkSide - the latter of which was used in the notorious Colonial Pipeline hack in 2021.

The findings mark an emerging trend whereby attackers are increasingly targeting Linux to gain a foothold in a business to deliver financially-motivated malware campaigns.

VMware TAU also said Linux-based malware is becoming more "sophisticated" and "devastating" with attackers scoping out companies tackling "financial events" to incentivise payments, as well as fully compromising cloud environments before encrypting files to make the incident response more difficult.

The researchers noted that traditional malware countermeasures are typically focused on protection for Windows environments, meaning adequate attention isn't being paid to Linux thus leaving public and private clouds more vulnerable.

According to VMware TAU, more than 75% of the most popular websites today are powered by Linux and it's also the most popular cloud operating system, comprising a core part of a business' digital infrastructure. 

"Cyber criminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximise their impact with as little effort as possible,” said Giovanni Vigna, senior director of threat intelligence at VMware.

"Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data," he added.

RATs such as the commercial penetration testing tool Cobalt Strike and a Linux-based re-implementation of a Beacon payload related to it, known as Vermillion Strike, are commonly used as the primary implant in cyber attacks on multi-cloud environments.

Cobalt Strike is a tool used for good by penetration testers and in red team exercises to simulate real attacks but is often misused by cyber criminals for malicious hacking purposes.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Vermillion Strike was discovered in 2021 and is a malware that allows operators to communicate with victims' machines after infection via a command and control (C2) server. It allows attackers to perform various actions including executing commands and modifying files, making it an ideal tool for attackers looking to encrypt files in extortion campaigns.

"In order to gain control and persist within an environment, attackers look to install an implant on a compromised system that gives them partial control of the machine," said VMware TAU. "Malware, web shells, and Remote Access Tools (RATs) can all be implants used by attackers in a compromised system to allow for remote access."

VMware TAU also noted in its research that cryptomining was also an issue affecting organisations running multi-cloud environments, with Monero being the most popular asset being mined using victims' infrastructure. 

It follows a similar claim made by Google Cloud recently; it noticed a large number of compromises of its customers' environments often led to cryptominers being installed to harness scalable compute without incurring any cost to the attackers.

"Since we conducted our analysis, even more ransomware families were observed gravitating to Linux-based malware, with the potential for additional attacks that could leverage the Log4j vulnerabilities," said Brian Baskin, manager of threat research at VMware.

"The findings in this report can be used to better understand the nature of Linux-based malware and mitigate the growing threat that ransomware, cryptomining, and RATs have on multi-cloud environments. As attacks targeting the cloud continue to evolve, organisations should adopt a Zero Trust approach to embed security throughout their infrastructure and systematically address the threat vectors that make up their attack surface."

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Best Linux file managers 2022: Customise your workflows
Linux

Best Linux file managers 2022: Customise your workflows

17 May 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Open source dev attacked for spreading data-wiping 'protestware'
open source

Open source dev attacked for spreading data-wiping 'protestware'

18 Mar 2022
Best Linux distros 2022
operating systems

Best Linux distros 2022

17 Mar 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022