Ransomware-as-a-service has become an increasingly more visible threat to organizations, and we continue to see sophisticated ransomware attacks across multi-cloud environments. A new VMware Threat Analysis Unit report exposes just how agile attackers have become by weaponizing ransomware, cryptojacking, and Remote Access Tools (RATs) in Linux-based environments. The report clearly outlines the steps attackers take once they’ve obtained a foothold in their target cloud environment, either executing ransomware or deploying cryptojacking components. In addition to these two types of attacks, our threat researchers also present how threat actors implant themselves using RATs.
In the report, a team of highly skilled and dedicated threat researchers and security professionals provide an in-depth analysis to these key findings:
- Malware targeting Linux-based systems is fast, becoming an attacker’s way into high-value, multi-cloud environments. The report uncovers that Linux is the most used operating system across multi-cloud environments, as 78% of the most popular websites are powered by Linux.
- Ransomware targeting Linux-based systems is becoming highly sophisticated. The main threats in most multi-cloud environments are ransomware, cryptojacking, and RATs. However, ransomware targeting these systems has evolved to target host images and require high-level host monitoring and analysis.
- Monero cryptocurrency (XMR) is the most popular illicitly mined digital cpin of rising cryptojacking attacks on Linux-based systems. 89% of cryptominers use XMRig-related libraries and cryptojacking attacks focus on monetizing stolen CPU cycles to mine cryptocurrencies.
- Remote access tools (RATs) are an increasing threat. Our threat researchers reveal that there are more than 14,000 active Cobalt Strike Team Servers on the Internet since February 2020, and the total percentage of cracked or leaked Cobalt Strike customers is 56%, indicating more than half of Cobalt Strike users may be cyber criminals.