Shortly after hitting Colonial Pipeline, Darkside developers announced they would be closing operations. Nevertheless, researchers at AT&T Alien Labs have observed evidence that the group has completed a Linux version of its malware that is targeting ESXi servers hosting VMware virtual machines. To this point, the authors announced the Darkside 2.0 version with Linux capabilities.
“Linux and UNIX servers have always been a preferred option for servers and data centers, likely due to the small attack surface of the servers, tight configurations, and lack of user interaction,” said Ofer Caspi, security researcher for AT&T Alien Labs, part of AT&T Cybersecurity in a blog on the subject. “However, they are often set up and then forgotten, left without detection or protection mechanisms. This makes them very attractive to attackers. By infecting unprotected virtualization servers, attackers can perform devastating attacks on companies, taking down all the services of a company with a single infection.”
Unlike common Linux ransomware which mostly zip files with a password, Darkside encrypts files using crypto libraries. This likely makes recovery impossible without the encryption key, if properly implemented.
Caspi offered the following advice:
- Keep software up to date with security updates.
- Carefully monitor and manage suspicious emails.
- Use a backup system to backup server files.
- Install Antivirus and/or endpoint detection and response (EDR) in all endpoints.
- Make sure two-factor authentication is enabled in all services.
For more information and to see a full analysis, the blog can be found here: https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version