Ransomware gangs that target big corporations for extortion have long designed their code to execute on Microsoft Windows systems because of the popularity of the operating software.
Now, though, crooks are increasingly applying that tactic to the “hypervisor” computer servers that organizations use to manage virtual machines as a way of maximizing their extortion schemes, security firm CrowdStrike said Friday.
Ransomware hackers have targeted hospitals and schools throughout the pandemic, a security challenge that the Biden administration has vowed to address. Alejandro Mayorkas, the newly installed Homeland Security secretary, on Thursday called ransomware attacks on U.S. public and private organizations an “epidemic” while pledging more government resources to fight the problem.
Breaching a hypervisor is an efficient way for the scammers to encrypt all of the virtual machines running on that software system without having to individually infect each machine. The goal is to up the pressure on big organizations to pay out hefty ransoms.
In the second half of 2020, two Eastern European criminal groups that CrowdStrike calls Sprite Spider and Carbon Spider began deploying malicious code written for the Linux operating system and designed to affect ESXi, a type of hypervisor.
CrowdStrike did not name the organizations targeted by the malware, but the firm warned that other groups could emulate the activity. The company published details on the emerging technique in a blog post.
The emergence of the Linux-focused ransomware strains comes as organizations are increasingly using virtual machines to consolidate their IT networks. But that concentration of resources on a few servers also risks creating a “virtual jackpot” for ransomware gangs, as CrowdStrike researchers Eric Loui and Sergei Frankoff put it.
The evolution of the two cybercriminal groups mirrors the broader ransomware ecosystem that now thrives on a “ransomware-as-a-service” model that leases hacking tools to maximize profit. Shortly after the coronavirus pandemic took hold and the hospitality sector suffered, Carbon Spider shifted from targeting point-of-sale devices to large organizations as a business tactic, according to CrowdStrike.
“This development shows that the ransomware actors are continuing to find new targets, when we see more than one adversary evolve in this way, it likely signifies others will follow suit,” said Adam Meyers, CrowdStrike’s vice president of intelligence.