Threat researchers at Sophos have identified a new strain of unusually fast-acting ransomware written in the Python programming language that has targeted VMware ESXi servers and virtual machines (VMs), which could present a significant threat to many environments that security teams may be, for various reasons, less attentive towards.
While many cyber criminal operations spend considerable lengths of time moving around undetected in their victims’ systems before deploying ransomware, the operators of this particular variety are conducting “ultra-high speed”, “sniper-like” attacks that unfold over a matter of hours.
“This is one of the fastest ransomware attacks Sophos has ever investigated, and it appeared to precision-target the ESXi platform,” said Andrew Brandt, principal researcher at Sophos, who investigated one such incident during which just three hours elapsed between breach and encryption.
“Python is a coding language not commonly used for ransomware. However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems,” he said.
“ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at once, where each of the virtual machines could be running business-critical applications or services. Attacks on hypervisors can be both fast and highly disruptive. Ransomware operators including DarkSide and REvil have targeted ESXi servers in attacks,” added Brandt.
In the investigated case, the attack began at half past midnight on a Sunday morning, when the ransomware operator obtained access to a TeamViewer account on the system of a user with domain admin rights and credentials.
Within 10 minutes, Sophos said, the attacker used the Advanced IP Scanner tool to sniff out targets, zeroing in on an ESXi server that, in this case, was likely vulnerable because it had an active shell programming interface.
They then installed the Bitvise secure network communications tool on the admin’s machine, which gave them access to the ESXi system, including the VMs’ virtual disk files. By 3:40 am, the ransomware had been deployed and files encrypted.
Brandt said that in this particular case there was a certain amount of luck on the part of the attacker, in that the shell interface on the target server had been enabled and disabled several times in the weeks leading up to the attack by the victim’s IT team, and was likely left enabled by accident, making the attack much easier to carry out.
While ransomware that runs on Linux-like operating systems such as that used by ESXi is quite uncommon, those who take the time to develop it may be more likely to hit the jackpot, as security teams are often somewhat less likely to protect such systems adequately.
“Administrators who operate ESXi or other hypervisors on their networks should follow security best practices. This includes using unique, difficult to brute-force passwords and enforcing the use of multi-factor authentication wherever possible,” said Brandt.
“The ESXi Shell can and should be disabled whenever it is not being used by staff for routine maintenance – for instance, during the installation of patches. The IT team can do this by either using controls on the server console or through the software management tools provided by the vendor.”
More details of the ransomware involved, including some noteworthy tactics, techniques and procedures (TTPs), are available from Sophos, while VMware’s guidance on protecting ESXi hypervisors can be found here.