DarkSide Ransomware Linux Variant

In recent times Trend Micro Research unrevealed that the DarkSide ransomware is targeting organizations in manufacturing, finance, and critical infrastructures in regions such as the United States, France, Belgium, and Canada.

The DarkSide ransomware targets both Windows and Linux platforms. Now, the researchers also noticed that the Linux variant, in particular, targets ESXI servers.

The Behaviour of the Linux Variant that Targets VMware ESXI Servers

The DarkSide ransomware has a Linux variant to infect more machines and cause more damage to the victim network. Still, this variant is quite specific, as its main configuration targets VM-related files on VMware ESXI servers.

Target File Extensions

The configuration of the Linux variant specifies features, such as the extension for encrypted files, C&C URL, number of threads, and a constraint on the minimum size of the target files to be encrypted.

The ransomware executable can accept parameters to infect more files and change its default settings. DarkSide runs several ESXCLI commands (such as the command-line interface framework in vSphere) to collect information about the infected ESXI host, such as the running virtual machinesVMs, storage-related information, and vSAN- related information.

The Linux variant of the DarkSide ransomware uses a ChaCha20 stream cipher (a variant of the Salsa20 family of stream ciphers) with RSA-4096 to encrypt targeted files on the victim machine.

The Ransomware performs a file size check before encryption and malware then opens the target file, reads the content based on the part and space size given in the configuration or the parameters, encrypts them, and writes to the file.

The analysis says that “the Linux variant drops a ransom note on the victim machine and adds a new file extension to the encrypted files and the malware does not add any ID at the end of it. Subsequently, it collects system information on the victim machine, such as hostname, domain, and disk information”.

System Information Collection

The research says that the DarkSide ransomware family targets both Windows and Linux platforms and there are similarities between the Linux and Windows variants, but they are different concerning some features, such as encryption mechanism, target files, ransom note name, extension, C&C URL, and more.

“It mainly targets VM-related files on VMWare ESXI servers, such as VMDK files”. Furthermore, the DarkSide ransomware runs ESXCLI commands to get vSAN and storage information on the victim machine.

It also lists and kills running VMs on the infected ESXI host before encryption. Finally, it drops a ransom note on the encrypted directories on the victim machine”, according to the analysis of TrendMicro.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.