Cybercriminals target Linux-based systems with ransomware and cryptojacking attacks

PALO ALTO, Calif.–(BUSINESS WIRE)–As the most common cloud operating system, Linux is a central part of digital infrastructure and is quickly becoming a ticket to attack in a multi-cloud environment. Current malware countermeasures are primarily focused on combating Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks targeting Linux-based workloads.

Today, VMware, Inc. (NYSE:VMW) published a threat report titled “Exposing Malware in Linux-Based Multi-Cloud Environments”.(1) Key findings that detail how cybercriminals use malware to target Linux-based operating systems include:

  • Ransomware is evolving to target Linux host images used to spin up workloads in virtualized environments;

  • 89% of cryptojacking attacks use XMRig-related libraries; and

  • More than half of Cobalt Strike users may be cybercriminals, or at least using Cobalt Strike illicitly.

“Cybercriminals are dramatically expanding their reach and adding malware that targets Linux-based operating systems to their attack toolkit to maximize their impact with the least amount of effort,” said Giovanni Vigna, Director principal of threat intelligence at VMware. “Rather than infecting an endpoint and then navigating to a higher value target, cybercriminals have discovered that by compromising a single server, they can gain the massive gains and access they seek. Attackers view public and private clouds as high-value targets because of the access they provide to critical infrastructure services and confidential data. Unfortunately, current malware countermeasures focus primarily on combating Windows-based threats, leaving many public and private cloud deployments vulnerable to attacks on Linux-based operating systems.

As malware targeting Linux-based operating systems increases in volume and complexity in a rapidly changing threat landscape, organizations must place a higher priority on threat detection. In this report, the VMware Threat Analysis Unit (TAU) analyzed threats to Linux-based operating systems in multi-cloud environments: ransomware, cryptominers, and remote access tools.

Ransomware targets the cloud to inflict maximum damage

As one of main breach for organizations, a successful ransomware attack on a cloud environment can have devastating consequences.(2) Ransomware attacks against cloud deployments are targeted and are often combined with data exfiltration, implementing a double extortion scheme that improves the chances of success. A new development shows that ransomware is evolving to target Linux host images used to spin up workloads in virtualized environments. Attackers now seek out the most valuable assets in cloud environments to inflict maximum damage on the target. Examples include the Defray777 ransomware family, which encrypts host images on ESXi servers, and the DarkSide ransomware family, which crippled Colonial Pipeline networks and caused a national gasoline shortage in the United States.

Cryptojacking attacks use XMRig to mine Monero

Cybercriminals looking for instant monetary reward often target cryptocurrencies using one of two approaches. Cybercriminals either include wallet-stealing functionality in malware or they monetize stolen CPU cycles to successfully mine cryptocurrencies in an attack called cryptojacking. Most cryptojacking attacks focus on mining Monero (or XMR) currency, and VMware TAU found that 89% of cryptominers use XMRig-related libraries. For this reason, when XMRig-specific libraries and modules in Linux binaries are identified, it is likely evidence of malicious cryptomining behavior. VMware TAU has also observed that defense evasion is the most common technique used by cryptominers. Unfortunately, since cryptojacking attacks do not completely disrupt the operations of cloud environments like ransomware, they are much harder to detect.

Cobalt Strike is the remote access tool of choice for attackers

In order to gain control and persist in an environment, attackers seek to install an implant on a compromised system that gives them partial control of the machine. Malware, webshells, and Remote Access Tools (RATs) can all be implants attackers use in a compromised system to allow remote access. One of the main implants used by attackers is Cobalt Strike, a commercial penetration test and red team tool, and its recent Linux-based Vermilion Strike variant. Since Cobalt Strike is such a ubiquitous threat on Windows, the expansion to the Linux-based operating system demonstrates threat actors’ desire to use readily available tools that target as many platforms as possible.

VMware TAU discovered more than 14,000 active Cobalt Strike Team servers on the Internet between February 2020 and November 2021. The total percentage of leaked Cobalt Strike client IDs is 56%, which means that more than half of the users of Cobalt Strike may be cybercriminals, or at least using Cobalt Strike illegally. The fact that RATs like Cobalt Strike and Vermilion Strike have become a staple tool for cybercriminals poses a significant threat to businesses.

“Since we performed our analysis, even more ransomware families have been observed revolving around malware targeting Linux-based systems, with the potential for additional attacks that could exploit Log4j vulnerabilities,” said Brian Baskin, Head of Threat Research at VMware. “The findings of this report can be used to better understand the nature of this malware and mitigate the growing threat posed by ransomware, cryptomining and RATs to multi-cloud environments. As attacks targeting the cloud continue to evolve, organizations must adopt a Zero Trust approach to embed security throughout their infrastructure and systematically address the threat vectors that make up their attack surface.

Download the full report here.


The VMware Threat Analytics Unit (TAU) helps protect customers against cyberattacks through world-class innovation and research. TAU is made up of malware analysts, reverse engineers, threat hunters, data scientists, and intelligence analysts at VMware. To understand how to detect and prevent attacks that bypass traditional file-centric prevention strategies, TAU focuses on techniques that were once the domain of advanced hackers and are now moving into the commodity attack market. The team leverages real-time big data, event stream processing, static, dynamic and behavioral analysis, and machine learning.

TAU applied a combination of static and dynamic techniques to characterize various malware families observed on Linux-based systems based on a curated dataset of metadata associated with Linux binaries. All samples in this dataset are public and therefore easily accessible using VirusTotal or various websites of major Linux distributions. TAU has collected over 11,000 benign samples from several Linux distributions, namely Ubuntu, Debian, Mint, Fedora, CentOS, and Kali. TAU then collected a sample data set for two threat classes, namely ransomware and cryptominers. Finally, TAU collected a dataset of malicious ELF binaries from VirusTotal which was used as a test malware dataset. TAU started collecting the dataset in June 2021 and ended in November 2021.

About VMware

VMware is a leading provider of multicloud services for all applications, enabling digital innovation with business control. As the trusted foundation for accelerating innovation, VMware software gives businesses the flexibility and choice they need to build the future. Based in Palo Alto, Calif., VMware is committed to building a better future through the company’s 2030 agenda. For more information, please visit

Sources and citations

  1. Malware exposure in Linux-based multi-cloud environments, VMware, February 2022

  2. Global Security Insights Report, VMware, June 2021

About Jon Moses

Check Also

Intel promises “substantial contributions” to the growth of RISC-V • The Register

Analysis Here’s something that would have seemed odd just a few years ago: to help …