Ransomware threat actors are widening the pool of potential targets as they shift their sights from Windows-powered devices to Linux and VMware ESXi hosts, according to SentinelOne.

Cybercriminals are reusing and modifying code from ransomware families — including Conti, Lockbit and Babuk — to create novel attack techniques with malware that works across diverse platforms, Jim Walter, senior threat researcher at SentinelOne, said in a Wednesday blog post.

Programming languages such as Rust and Go allow threat actors to quickly port malware to multiple platforms and achieve feature parity across payloads for Windows, Linux and ESXi systems.

“Out of the gate, these Linux and ESXi-focused lockers contain all the requisite functionality of their Windows counterparts,” Walter said.

Memory-safe programming languages, like Rust or Go, offer benefits for attackers and defenders. These languages allow for faster and more complex encryption methods and deeper control.

Cybersecurity authorities earlier this month requested information on the development of memory-safe languages as they seek more secure software development techniques as part of their push for secure-by-design and secure-by-default principles.

“Two-thirds of vulnerabilities in memory-unsafe languages today are caused by memory-safety vulnerabilities,” Jack Cable, senior technical advisor at CISA, said during a presentation at Black Hat.

The diminished time gaps between the development of malicious Windows-targeted payloads and Linux or ESXi payloads underscore the advantage ransomware operators are gaining by shifting to these languages.

“The ability to efficiently target and encrypt virtual machines is highly attractive to ransomware operators,” Walter said. “Fully-virtualized infrastructure can be encrypted and compromised in minutes with the right, and robust, payloads.”