Skip to Content

Multiplatform Ransomware

The ransomware landscape is one that is rapidly evolving. This year in particular, there has been a big trend in the increase of multiplatform ransomware. We are going to take a closer look at some examples, and examine why this threat is evolving.

Ransomware Targeting Windows, Linux, and VMware ESXi

I’ve spoken to endless organizations in the last several years, and have noticed a few misconceptions. One of the major misconceptions it that ransomware is a “Windows thing”. While yes, many organizations do target Windows due to its prevalence, the fact of the matter is that anything can be ransomware, as long as someone is willing to put in the time and effort.

One recent example is Luna ransomware, which Kapersky recently released a report on. This ransomware example targets all three platforms.

In many cases, it is the Linux variants that are slightly modified to also work with VMware ESXi. If we look at this from a level of effort point of view, we have to keep in mind that the threat actors have one thing in mind, to get paid.

While some groups may not want to bother with a Linux port, others may see a pot of gold at the end of the rainbow when they move to attacking VMware ESXi with ransomware. Getting to the VMware environment allows the most damage the fastest.

The fact is that organizations cannot simply ignore the platforms they have in their environment, they need to have plans in place to recover just about everything.

So what’s the best way to develop ransomware and cause the most trouble?

Rise in Rust Based Ransomware

Luna is one example of ransomware written in the Rust programming language. Other notable recent examples are Hive and BlackCat.

So why are ransomware groups starting to gravitate this way? Let’s go straight to the source, Rust’s website.

Here are some of the powerful features they advertise.

A language empowering everyone to build reliable and efficient software

Well of course you want to build reliable and efficient software so the ransom gets paid.

“Performance. Rust is blazingly fast and memory efficient”

Wow, this sounds great for a piece of software that I want to run as fast as possible.

“Rust has great documentation, a friendly compiler with useful error messages, and top-notch tooling.”

This sounds like it will be easy to recruit new talent to work with this software, even if they don’t have previous experience with Rust.

I could go on and on with this, but the fact is that Rust is a simple to use highly performant programming language. The other benefit is that Rust is cross platform, making it easy to develop for Windows, Linux (and ESXi), and Mac all at the same time.

Which means that with some solid development on a single piece of ransomware, you really can cause the most damage an environment as quickly as possible.

The Mac piece is also interesting. I know even for me there is a tendency to focus on the datacvernte when it comes to ransomware protection, but we cannot neglect our end user devices.

Especially when we talk about the treat of exfiltration, these devices become even more critical. You’re backing up the devices of your end users, right?

Multiplatform Ransomware for Maximum Havoc

To me, there is no surprise that ransomware is moving in this dir4ection. After all, at the end of the day, ransomware operators want to get paid, and the more damage they do, the more likely the payout is.

This just means it is time for organizations to take a good luck at their current plans when it comes to a ransomware attack, and make sure they are in fact protecting all of their assets.