Ransomware Threat Grows as Attackers Move Into VMware and Linux

Linux has been the reliable backbone of business infrastructure for many years; it powers 96% of the top million web servers worldwide and more than 80% of workloads in public clouds.

Its reputation for reliability and inherent security has long shielded it from the intense scrutiny faced by Windows environments.

However, this era of relative obscurity is ending as ransomware operators increasingly pivot to Linux-native attacks, exploiting its ubiquity in critical applications, APIs, DevOps pipelines, and virtualized infrastructures.

Recent developments underscore this shift: threat actors are no longer adapting Windows-centric malware but are engineering sophisticated Linux-specific ransomware variants.

For instance, the Pay2Key ransomware has been updated with builder options explicitly targeting Linux systems, while Helldown has expanded its capabilities to infiltrate VMware environments alongside Linux hosts.

Similarly, BERT ransomware leverages Linux ELF (Executable and Linkable Format) files to weaponize payloads, enabling seamless execution on diverse distributions.

This evolution reflects a ...