LockBit ESXi Linux Ransomware

LockBit ESXi Linux Ransomware
Lockbit Linux ESXi Ransomware uses a combination of Advanced Encryption Standard (AES) and elliptic curve cryptography (ECC) algorithms for data encryption. This variant could have a big impact on victim organizations because of how ESXi, VMware’s hypervisor helps in managing servers compared to with previous version which is targets toward Windows.

Lockbit YARA IOC

rule Linux_Lockbit_Jan2022 {
      description = "Detects a Linux version of Lockbit ransomware"
      author = "TrendMicro Research"
      date = "2022-01-24"
      hash1 = "038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4"
        $xor_string_1 = "LockBit Linux/ESXi locker V:" xor(0x01-0xff)
        $xor_string_2 = "LockBit 2.0 the world's fastest ransomware since 2019" xor(0x01-0xff)
        $xor_string_3 = "Tox ID LockBitSupp" xor(0x01-0xff)
      uint16(0) == 0x457f and filesize < 300KB and
      filesize > 200KB and any of them

Lockit 2.0 Linux ESXi Ransomware Signatures

Family: Trojan.Linux.GenericA.50716 (B)
MD5: b354eaf3061b4099aecac523eb5466a3
SHA256: 038ff8b2fef16f8ee9d70e6c219c5f380afe1a21761791e8cbda21fa4d09fdb4

Lockit 2.0 Linux ESXi Ransomware Download

Download Lockit 2.0 Linux ESXi Ransomware Sample