Lockbit Linux ESXi ransomware evasion techniques

A recent analysis of a Lockbit ransomware variant targeting Linux-based ESXi servers has revealed advanced evasion techniques. The malware uses the ptrace system call to detect debuggers, exiting if one is found, complicating dynamic analysis.

Lockbit Linux ESXi ransomware evasion techniquesLockbit Linux ESXi ransomware evasion techniques

It deobfuscates strings with a rolling XOR routine, exposing critical elements like help menus and ransom notes. The control flow is managed through an argv parsing function, allowing configurations for encryption thresholds and logging modes.

Lockbit Linux ESXi ransomware evasion techniquesLockbit Linux ESXi ransomware evasion techniques

ESXi-Specific Operations
The malware features robust logging and uses libc’s daemon function for persistence. It verifies ESXi tools before enabling SSH and encrypts files by suspending VMs and generating a 128-bit random key sealed with a hardcoded public key. The core encryption method is an optimized AES variant.

Post-encryption, ransom notes titled !!!-Restore-My-Files-!!! are dropped, highlighting the evolving threat of Linux ransomware.


NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security