IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Linux-based multi-cloud environments facing increased ransomware attacks

VMware researchers claim not enough effort is being spent on developing countermeasures for attacks on the cloud's most popular operating system

Research from VMware Threat Analysis Unit (VMware TAU) has revealed cyber attackers are increasingly targeting Linux-based multi-cloud environments to install malware such as ransomware, remote access tools (RATs), and cryptominers.

Ransomware operators have evolved recently and are now targeting Linux host images used to execute workloads in virtualised environments, the researchers said, with common ransomware families spotted in compromised environments including Defray777 and DarkSide - the latter of which was used in the notorious Colonial Pipeline hack in 2021.

The findings mark an emerging trend whereby attackers are increasingly targeting Linux to gain a foothold in a business to deliver financially-motivated malware campaigns.

VMware TAU also said Linux-based malware is becoming more "sophisticated" and "devastating" with attackers scoping out companies tackling "financial events" to incentivise payments, as well as fully compromising cloud environments before encrypting files to make the incident response more difficult.

The researchers noted that traditional malware countermeasures are typically focused on protection for Windows environments, meaning adequate attention isn't being paid to Linux thus leaving public and private clouds more vulnerable.

According to VMware TAU, more than 75% of the most popular websites today are powered by Linux and it's also the most popular cloud operating system, comprising a core part of a business' digital infrastructure. 

"Cyber criminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximise their impact with as little effort as possible,” said Giovanni Vigna, senior director of threat intelligence at VMware.

"Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data," he added.

RATs such as the commercial penetration testing tool Cobalt Strike and a Linux-based re-implementation of a Beacon payload related to it, known as Vermillion Strike, are commonly used as the primary implant in cyber attacks on multi-cloud environments.

Cobalt Strike is a tool used for good by penetration testers and in red team exercises to simulate real attacks but is often misused by cyber criminals for malicious hacking purposes.

Related Resource

The best defence against ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Vermillion Strike was discovered in 2021 and is a malware that allows operators to communicate with victims' machines after infection via a command and control (C2) server. It allows attackers to perform various actions including executing commands and modifying files, making it an ideal tool for attackers looking to encrypt files in extortion campaigns.

"In order to gain control and persist within an environment, attackers look to install an implant on a compromised system that gives them partial control of the machine," said VMware TAU. "Malware, web shells, and Remote Access Tools (RATs) can all be implants used by attackers in a compromised system to allow for remote access."

VMware TAU also noted in its research that cryptomining was also an issue affecting organisations running multi-cloud environments, with Monero being the most popular asset being mined using victims' infrastructure. 

It follows a similar claim made by Google Cloud recently; it noticed a large number of compromises of its customers' environments often led to cryptominers being installed to harness scalable compute without incurring any cost to the attackers.

"Since we conducted our analysis, even more ransomware families were observed gravitating to Linux-based malware, with the potential for additional attacks that could leverage the Log4j vulnerabilities," said Brian Baskin, manager of threat research at VMware.

"The findings in this report can be used to better understand the nature of Linux-based malware and mitigate the growing threat that ransomware, cryptomining, and RATs have on multi-cloud environments. As attacks targeting the cloud continue to evolve, organisations should adopt a Zero Trust approach to embed security throughout their infrastructure and systematically address the threat vectors that make up their attack surface."

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download


Best Linux file managers 2022: Customise your workflows

Best Linux file managers 2022: Customise your workflows

17 May 2022
Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Open source dev attacked for spreading data-wiping 'protestware'
open source

Open source dev attacked for spreading data-wiping 'protestware'

18 Mar 2022
Best Linux distros 2022
operating systems

Best Linux distros 2022

17 Mar 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
The top programming languages you need to learn for 2022
Careers & training

The top programming languages you need to learn for 2022

23 Jun 2022
Swift exit: How the world cut off Russian banks

Swift exit: How the world cut off Russian banks

24 Jun 2022