Ransomware Expands Targeting Linux and VMware ESXi Systems

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 16, 2025 3 min read

Linux Ransomware Threat Landscape

Overview of Ransomware Targeting Linux

Ransomware has evolved rapidly to target Linux systems, previously seen as safe from such attacks. This shift is fueled by the extensive use of Linux in cloud environments and critical workloads. With over 80% of public cloud workloads powered by Linux, attackers are increasingly exploiting its vulnerabilities. Traditional defenses are inadequate against these sophisticated threats.

Linux Ransomware

Image courtesy of Morphisec

Key Ransomware Variants

BERT Ransomware

BERT ransomware, also known as "Water Pombero," has emerged as a significant threat targeting both Linux and ESXi systems. Active since April, it utilizes multithreaded encryption to encrypt data quickly, making it a formidable opponent.

BERT Ransomware

Image courtesy of Linux Security

Key features of BERT include:

  • Targeting ESXi VMs directly, enforcing shutdowns to maximize downtime.
  • Modular design allowing for customization in attack methods.
  • Similarities to previous ransomware, indicating a calculated approach.

For more information, visit Trend Micro's analysis.

Helldown Ransomware

The Helldown ransomware group has recently expanded its operations to include Linux systems. This variant operates under a double-extortion model, exfiltrating sensitive data before encrypting files.

Image courtesy of Infosecurity Magazine

Notable characteristics:

  • Exploits vulnerabilities in Zyxel firewalls for initial access.
  • Focuses on VMware ESX servers, with features to shut down VMs prior to encryption.
  • Relatively simpler than its Windows counterpart, indicating potential for further development.

For additional details, refer to the Sekoia report.

Attack Strategies

Evasive Techniques

Modern ransomware employs advanced tactics like fileless execution and living-off-the-land techniques, making detection challenging. Attackers leverage built-in Linux tools, executing malicious code in memory without leaving traditional artifacts.

  1. Fileless Execution: Utilizing Bash scripts and cron jobs for in-memory attacks.
  2. Double Extortion: Encrypting data while simultaneously exfiltrating sensitive information.
  3. Targeting Cloud and DevOps: Exploiting misconfigurations in cloud-native environments.

For strategies against these threats, consider Morphisec's Anti-Ransomware Assurance Suite.

Response Challenges

Traditional defenses are inadequate in the face of evolving ransomware threats. Most rely on reactive detection tools, which often fail against in-memory attacks. Key reasons for failure include:

  • Inability to detect memory-based threats.
  • Fragmentation across various Linux distributions.
  • Resource constraints limiting the effectiveness of protection.

Organizations must transition to a preemptive defense model to neutralize threats before execution. The prevention-first strategy is essential to safeguard Linux systems.

Recommendations for Organizations

To mitigate the risks posed by ransomware, organizations should adopt the following practices:

Patch Management

Regular updates and patches for systems, particularly network devices like firewalls, are crucial. Delaying these updates can lead to vulnerabilities.

Backup Strategy

Implement immutable backups that cannot be altered by ransomware. Test recovery workflows regularly to ensure effectiveness.

Access Controls

Utilize role-based access control (RBAC) to enforce least privilege practices. Network segmentation for critical resources can limit exposure.

Monitoring and Response

Implement a SIEM solution to detect unusual activity, such as unexpected file encryption attempts or outbound traffic to known malicious IPs.

Virtualization Security

For organizations using virtual machines, tighten security on ESXi hosts by disabling unnecessary services and monitoring VM activity closely.

Conclusion

The landscape of ransomware targeting Linux systems is evolving rapidly, posing significant risks to organizations across various sectors. As attackers refine their techniques, organizations must enhance their defenses and adopt proactive measures to mitigate potential threats.

For organizations seeking robust protection against ransomware, explore the services offered by Gopher Security to safeguard your Linux environments effectively.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article