A comprehensive reverse engineering analysis has unveiled the sophisticated technical mechanisms behind Lockbit’s Linux ESXi ransomware variant, first discovered in 2022 but recently dissected to reveal advanced evasion techniques and cryptographic implementations that specifically target virtualized server environments.
Anti-Analysis Evasion and Obfuscation Techniques
The malware employs a clever anti-debugging mechanism using the ptrace system call to attach to its parent process.
If this operation fails, typically when debugging tools like gdb or strace are already tracing the process, the malware immediately exits, effectively evading dynamic analysis attempts.
String obfuscation adds another layer of protection, with nearly all text strings encrypted using a simple XOR routine with a hardcoded value of 0x39 (57 decimal).
This technique conceals critical functionality, including help menus, bash commands for VM navigation, and extensive logging capabilities that ironically make the malware highly verbose once deobfuscated.
ESXi-Specific Attack Vectors
The ransomware demonstrates sophisticated knowledge of VMware ESXi environments through targeted bash command execution.
It automatically enables SSH access via vim-cmd hostsvc/enable_ssh and systematically identifies running virtual machines vmdumper -l to extract World IDs (WIDs).
Before encryption, the malware attempts to suspend running VMs up to nine times using esxcli vm process kill --type=force --world-id=$wid, ensuring data integrity during the encryption process.
The malware validates its environment by checking for essential ESXi tools, including. vm-support, vmdumper, and vim-cmd before proceeding with its payload. It can be configured with VM and file extension exclusion lists, demonstrating operational flexibility for targeted attacks.
Advanced Cryptographic Implementation
Analysis revealed a hybrid encryption scheme combining libsodium and optimized AES implementations.
For each file, the malware generates a unique 128-bit encryption key using randombytes_buf, then secures this key within a cryptographic box using crypto_box_seal with a hardcoded public key.
The actual file encryption utilizes an optimized AES implementation featuring T-tables—four lookup tables of 1024 bytes each containing 256 4-byte integers. This approach provides faster encryption performance while maintaining cryptographic security.
Particularly concerning is the malware’s “free space wiping” capability, which overwrites unallocated disk space by creating temporary files and filling them with zeroed data based on filesystem block information, significantly complicating forensic recovery efforts.
The ransomware includes comprehensive logging functionality, writing detailed operation records /tmp/locklog with timestamps and thread IDs, while creating /tmp/locker.pid a mechanism to prevent multiple simultaneous executions.
Despite law enforcement takedowns of Lockbit infrastructure, this technical analysis provides valuable insights into the evolving sophistication of Linux-targeted ransomware families.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
