Ransomware Gangs Target Linux and VMware: New Threats Emerge

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 16, 2025 3 min read

Linux Ransomware Trends

Ransomware Targeting Linux Systems

Ransomware is increasingly targeting Linux systems, which were once considered less vulnerable. As cloud adoption rises, Linux now supports over 80% of public cloud workloads and 96% of the top million web servers. This shift has attracted ransomware gangs looking to exploit perceived weaknesses in Linux environments.

Linux Ransomware

Recent ransomware strains include:

Evolving Tactics in Ransomware Campaigns

Modern ransomware tactics have shifted from traditional methods. Attackers are utilizing fileless execution and Living-off-the-Land (LotL) techniques, exploiting built-in Linux tools to execute code in memory, making detection difficult.

  1. Fileless Execution - Attackers use tools like Bash scripts and cron jobs to execute malicious code, bypassing traditional detection methods. This makes them invisible to regular EDR solutions.
  2. Double Extortion - Ransomware not only encrypts systems but also exfiltrates sensitive data, raising the stakes for victims.
  3. Cloud Vulnerabilities - Ransomware exploits misconfigurations in cloud-native environments, particularly within CI/CD pipelines and Kubernetes clusters.

Traditional Defenses Are Insufficient

Most Linux environments rely on legacy antivirus and detection-based tools, which are ineffective against modern attack vectors. Key shortcomings include:

  • Inadequate Memory Protection - Traditional tools often miss memory-based attacks.
  • Fragmented Coverage - The diversity of Linux distributions leads to inconsistent protection.
  • Resource Constraints - Many Linux systems cannot handle the overhead of traditional security solutions.

Organizations need a new approach to Linux security, focusing on prevention rather than detection.

Preemptive Cyber Defense Strategies

To combat modern ransomware, a prevention-first strategy is essential. This approach neutralizes threats before they execute. Solutions like Morphisec’s Anti-Ransomware Assurance Suite can help protect Linux systems through:

  • Pre-Execution Protection - Blocking ransomware before it can encrypt files.
  • Memory Shielding - Preventing in-memory payloads from executing.
  • Lightweight & Scalable Solutions - Minimal impact on system performance while providing robust protection.

BERT Ransomware: A Cross-Platform Threat

BERT ransomware, also known as "Water Pombero," targets both Windows and Linux systems, including ESXi environments. It employs multithreaded encryption, enabling rapid data scrambling.

BERT Ransomware

Key characteristics include:

  • Targeting ESXi VMs - It forces shutdowns of critical resources to maximize downtime.
  • Modularity - BERT's design allows for customizable attacks, increasing its effectiveness.

Helldown Ransomware's Expansion

Helldown ransomware has extended its reach to Linux and VMware ESX servers, employing a double-extortion model. The group has claimed numerous victims, exploiting vulnerabilities in Zyxel firewalls.

  • New Tactics - Helldown uses sophisticated methods to exfiltrate data before encryption, threatening to leak sensitive information.
  • Vulnerability Exploitation - Attacks often leverage known weaknesses in network devices, emphasizing the need for timely patches.

VMware ESXi: A Key Attack Vector

VMware ESXi servers are major targets for ransomware due to their critical role in business operations and the efficiency of encrypting multiple VMs simultaneously. Recent attacks have shown a tripling in ransomware targeting this environment.

Mitigation strategies include:

  • Regular Updates - Keeping ESXi software up-to-date to protect against known vulnerabilities.
  • Access Control - Implementing strong authentication and limiting administrative access to reduce initial attack vectors.
  • Network Segmentation - Isolating critical systems to prevent widespread infection.

Play Ransomware's New Linux Variant

The Play ransomware group has introduced a Linux variant specifically targeting ESXi environments. This strain utilizes double-extortion tactics and has shown a capacity to evade security measures.

  • Execution Check - The ransomware verifies its environment before executing, ensuring it runs only on ESXi.
  • Infection Chain - The attack involves several tools and commands specific to ESXi, demonstrating a sophisticated approach to maximize impact.

Best Practices for Mitigating Ransomware

Organizations should implement comprehensive strategies to reduce the risk of ransomware, including:

  • Patching and Updates - Ensure timely application of security updates.
  • Immutable Backups - Maintain secure, offline backups to facilitate recovery.
  • Role-Based Access Control - Implement strict access controls to limit exposure.

For further assistance in securing your Linux environment against evolving ransomware threats, explore Gopher Security and discover how we can help.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article