Linux systems are being bombarded with ransomware and cryptojacking attacks

A finger pressing a padlock icon
(Image credit: Shutterstock)

The continued success of Linux services in the digital infrastructure and cloud industries over the last few years has painted a target on its back, a new report from VMware has warned.

What’s more, as most anti-malware and cybersecurity solutions are focused on protecting Windows-based devices, Linux is finding itself on thin ice, as threat actors grow aware of this security gap and target the software more than ever before.

VMware's report, based on real-time big data, event streaming processing, static, dynamic and behavioral analytics, and machine learning data, claims ransomware has evolved to target host images used to spin workloads in virtualized environments.

Ransomware, cryptomining, Cobalt Strike

Attackers are now seeking most valuable assets in the cloud, VMware says, mentioning Defray777 as the ransomware family which encrypted host images on ESXi servers, as well as the DarkSide ransomware family that was behind the Colonial Pipeline attack.

Furthermore, multi-cloud infrastructure is often abused to mine cryptocurrencies for the attackers. As cryptojacking, as the method is called, does not completely disrupt the operations of cloud environments like ransomware does, it is a lot more difficult to detect.

Still, almost all (89%) of cryptojacking attacks use XMRig-related libraries. That is why, when XMRig-specific libraries and modules in Linux binaries are identified, it is most likely malicious cryptomining.

There is also the growing problem of Cobalt Strike and Vermilion strike, commercial penetration testing and red team tools for Windows and Linux. 

Even though they aren’t designed to be malicious, they can be used as an implant on a compromised system that gives malicious actors partial control of the machine. VMware discovered more than 14,000 active Cobalt Strike Team Servers on the internet, in the time period between February 2020 and November 2021. 

The fact that the total percentage of cracked and leaked Cobalt Strike customer IDs is 56%, leads VMware to conclude that more than half of Cobalt Strike users may be cybercriminals.

To tackle this growing threat, the report further claims, organizations need to “place a greater priority” on threat detection.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.