Threat Analysis Unit Multi-Cloud Security

Ransomware Attacks and Techniques – Analysis from VMware Threat Report

Ransomware attacks are evolving to target Linux-based cloud environments and often combine data exfiltration and double-extortion tactics, according to Exposing Malware in Linux-Based Multi-Cloud Environments, a VMware Threat Analysis Unit report.   

This post highlights some key analysis of recent ransomware attacks against cloud deployment, insights on techniques deployed, and how the threat can be detected and mitigated.  

Ransomware families examined 

In the report, the VMware Threat Analysis Unit analyzed nine ransomware families that target Linux-based systems. Brief descriptions of each of the families are presented as well as analysis on the different characteristics of the ransomware samples of each of these particular ransomware families.  

The ransomware families investigated include: REvil, DarkSide, BlackMatter, Defray777, HelloKitty, ViceSociety, Erebus, GonnaCry, eChOraix. 

“The analysis of these artifacts looked at code fragments and other meta-information to understand the relationships between families, showing how it is possible to characterize similar samples and identify the lineage and evolution of specific families,” explains Giovanni Vigna, senior director of threat intelligence, VMware and one of the authors of the report.  

Characterizing behavior 

The report found that defense evasion (59%) was the most common tactic used with the ransomware families examined. The threat researchers also found various encryption or obfuscation techniques – such as Base64 encoding and AES-based encryption – used by the attackers to hide their code and data. 

Attackers are now looking for the most valuable assets in cloud environments, according to the report, to inflict the maximum amount of damage to the target. These examples include the Defray777 ransomware family, which encrypted guest images on ESXi servers, and the DarkSide ransomware family, which crippled Colonial Pipeline’s networks and caused a nationwide gasoline shortage in the U.S. 

Detecting and mitigating these types of ransomware threats 

The report recommends using a combination of approaches, mechanisms, and policies to fight ransomware.  

Beyond having a solid data backup and recovery process, deploying an EDR solution that monitors the actions performed by processes on cloud workloads is critical to a defense-in-depth strategy, according to the VMware threat report. This approach should also be complemented by an effective segmentation and NDR system that can recognize network-based evidence of attacks and ideally block the malware before it can take hold of the target hosts.  

Read the full report  

These are just some highlights from the VMware threat report’s analysis on ransomware. Exposing Malware in Linux-Based Multi-Cloud Environments also examines the rise of cryptomining/jacking and the deployment of remote access tools in Linux-based multi-cloud environments. Be sure to download the full report for detailed insights and analysis to help you secure your organization.  

Download — Exposing Malware in Linux-Based Multi-Cloud Environments