Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Ransomware Gang Encrypts VMware ESXi Servers With Python Script

Ransomware Gang Encrypts VMware ESXi Servers With Python Script

Operators of an unknown ransomware gang are using a Python script to encrypt virtual machines hosted on VMware ESXi servers.

While the Python programming language is not commonly used in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default.

As Sophos researchers recently discovered while investigating a ransomware incident, a Python ransomware script was used to encrypt a victim’s virtual machines running on a vulnerable ESXi hypervisor within three hours of the initial breach.

“A recently-concluded investigation into a ransomware attack revealed that the attackers executed a custom Python script on the target’s virtual machine hypervisor to encrypt all the virtual disks, taking the organization’s VMs offline,” SophosLabs Principal Researcher Andrew Brandt said.

“In what was one of the quickest attacks Sophos has investigated, from the time of the initial compromise until the deployment of the ransomware script, the attackers only spent just over three hours on the target’s network before encrypting the virtual disks in a VMware ESXi server.”

Also Read: 12 Damaging Consequences of Data Breach

VMs encrypted using a 6kb script

In the middle of the night, the attackers breached the victim’s network over the weekend by logging into a TeamViewer account running on a device with a domain admin logged on.

Once in, they started searching the network for additional targets using Advanced IP Scanner and logged onto an ESXi server via the built-in SSH ESXi Shell service, which was accidentally left toggled on by the IT staff (even though it’s disabled by default.)

The ransomware operators then executed a 6kb Python script to encrypt all virtual machines’ virtual disk and VM settings files.

The script, partially recovered while investigating the incident, allows the ransomware operators to use multiple encryption keys and email addresses and customize the file suffix for the encrypted files.

It works by shutting down the virtual machines, overwriting the original files stored on the datastore volumes, then deleting them to block recovery attempts and leaving the encrypted files behind.

“Administrators who operate ESXi or other hypervisors on their networks should follow security best practices, avoiding password reuse, and using complex, difficult to brute-force passwords of adequate length,” Brandt recommended.

“Wherever possible, enable the use of multi-factor authentication and enforce the use of MFA for accounts with high permissions, such as domain administrators.”

VMware also provides advice on securing ESXi servers by limiting the risk of unauthorized access and the attack surface on the hypervisor itself.

Also Read: Top 10 Main Reasons for Outsource Website Development

VMware ESXi servers under attack

Attacking ESXi servers is a highly disruptive tactic for ransomware groups since most of them run multiple virtual machines simultaneously, with business-critical services and apps deployed on many of them.

Multiple ransomware gangs, including Darkside, RansomExx, and Babuk Locker, have exploited VMWare ESXi pre-auth RCE bugs to encrypt virtual hard disks used as centralized enterprise storage space.

This is not the first incident where Python-based malicious tools have been used to target Internet-exposed VMware servers.

In June, researchers spotted the multi-platform Python-based FreakOutmalware targeting Windows and Linux devices upgraded to worm its way onto VMware vCenter servers unpatched against a critical RCE bug in all default installs.

FreakOut is an obfuscated Python script designed to evade detection with the help of a polymorphic engine and a user-mode rootkit that hides malicious files dropped on infected systems.

Linux versions of HelloKitty and BlackMatter ransomware were also spotted in the wild in July and August, both of them targeting targets VMware’s ESXi virtual machine platform.

To make things even worse, with VMware ESXi being one of the most if not the most popular enterprise virtual machine platforms, almost every enterprise-targeting ransomware gang has started developing their encryptors designed to specifically target ESXi virtual machines.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us