Linux-based multi-cloud environments facing increased ransomware attacks

An image of a digital padlock with code around it
(Image credit: Shutterstock)

Research from VMware Threat Analysis Unit (VMware TAU) has revealed cyber attackers are increasingly targeting Linux-based multi-cloud environments to install malware such as ransomware, remote access tools (RATs), and cryptominers.

Ransomware operators have evolved recently and are now targeting Linux host images used to execute workloads in virtualised environments, the researchers said, with common ransomware families spotted in compromised environments including Defray777 and DarkSide - the latter of which was used in the notorious Colonial Pipeline hack in 2021.

The findings mark an emerging trend whereby attackers are increasingly targeting Linux to gain a foothold in a business to deliver financially-motivated malware campaigns.

VMware TAU also said Linux-based malware is becoming more "sophisticated" and "devastating" with attackers scoping out companies tackling "financial events" to incentivise payments, as well as fully compromising cloud environments before encrypting files to make the incident response more difficult.

The researchers noted that traditional malware countermeasures are typically focused on protection for Windows environments, meaning adequate attention isn't being paid to Linux thus leaving public and private clouds more vulnerable.

According to VMware TAU, more than 75% of the most popular websites today are powered by Linux and it's also the most popular cloud operating system, comprising a core part of a business' digital infrastructure.

"Cyber criminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximise their impact with as little effort as possible,” said Giovanni Vigna, senior director of threat intelligence at VMware.

"Attackers view both public and private clouds as high-value targets due to the access they provide to critical infrastructure services and confidential data," he added.

RATs such as the commercial penetration testing tool Cobalt Strike and a Linux-based re-implementation of a Beacon payload related to it, known as Vermillion Strike, are commonly used as the primary implant in cyber attacks on multi-cloud environments.

Cobalt Strike is a tool used for good by penetration testers and in red team exercises to simulate real attacks but is often misused by cyber criminals for malicious hacking purposes.


The best defence against ransomware

How ransomware is evolving and how to defend against it


Vermillion Strike was discovered in 2021 and is a malware that allows operators to communicate with victims' machines after infection via a command and control (C2) server. It allows attackers to perform various actions including executing commands and modifying files, making it an ideal tool for attackers looking to encrypt files in extortion campaigns.

"In order to gain control and persist within an environment, attackers look to install an implant on a compromised system that gives them partial control of the machine," said VMware TAU. "Malware, web shells, and Remote Access Tools (RATs) can all be implants used by attackers in a compromised system to allow for remote access."

VMware TAU also noted in its research that cryptomining was also an issue affecting organisations running multi-cloud environments, with Monero being the most popular asset being mined using victims' infrastructure.

It follows a similar claim made by Google Cloud recently; it noticed a large number of compromises of its customers' environments often led to cryptominers being installed to harness scalable compute without incurring any cost to the attackers.

"Since we conducted our analysis, even more ransomware families were observed gravitating to Linux-based malware, with the potential for additional attacks that could leverage the Log4j vulnerabilities," said Brian Baskin, manager of threat research at VMware.

"The findings in this report can be used to better understand the nature of Linux-based malware and mitigate the growing threat that ransomware, cryptomining, and RATs have on multi-cloud environments. As attacks targeting the cloud continue to evolve, organisations should adopt a Zero Trust approach to embed security throughout their infrastructure and systematically address the threat vectors that make up their attack surface."

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.