New Python-programmed ransomware targets virtual machines

Sophos, a company focused on cybersecurity research and solutions, released details of a new ransomware written in Python, used by attackers to compromise and encrypt virtual machines hosted on an ESXi hypervisor.

  • Ecuador’s largest private bank is stopped due to ransomware attack
  • New virtual scam requires ransom for non-public disclosure of stolen data
  • Extortion is highlighted as a digital crime and Brazil is among the hardest hit

According to the report, “Python Ransomware Script Targets ESXi Servers for Encryption”, this new vector of virtual hijacking (ransomware) manages to progress in less than three hours from invasion to the encryption of files.

The ESXi server, and hypervisors in general, are software, firmware or hardware that allow the creation and execution of virtual machines (VM) , with the computer running the VMs being considered the host, or host machine, and the VMs being the guest, or guest machines. These tools are used by companies mainly because they enable greater IT mobility, as the guest VMs are independent of the host computer and can be easily moved between different company servers.

Want to catch up on the best tech news of the day? Go and subscribe to our new channel on youtube, Canaltech News.

Every day a summary of the main news in the tech world for you!

According to Andrew Brandt, a Sophos researcher, this new ransomware is one of the fastest ever analyzed by the company. Brandt explains why this malware is so effective. “Python is a little used coding language for ransomware. However, it is pre-installed on Linux-based systems such as ESXi, and this makes possible Python-based attacks on these systems. ESXi servers represent an attractive target for cybercriminals because they can attack multiple virtual machines at the same time, each of which may be running business-critical applications or services. Hypervisor attacks can be quick and highly disruptive. Ransomware operators, including DarkSide and REvil, are targeting ESXi servers in their attacks,” he adds.

The attack analyzed by Sophos started at H30 on a Sunday, when ransomware operators hacked into a TeamViewer account logged in from a computer belonging to a user who had administrator access credentials to the domain targeted by the criminals. About minutes later, the scammers used the Advanced IP Scanner tool to search for other computers on the network.

Sophos investigators believe the ESXi Server on the network was vulnerable because it had an active Shell, a programming interface that IT teams use for commands and updates; thus allowing criminals to install a secure network communication tool called Bitvise on the domain administrator machine, which gave them remote access to the ESXi system and all its data, including the virtual disk files used by virtual machines. Around 30h30, the ransomware has been deployed and the virtual hard drives hosted on the ESXi server have been encrypted.

How to protect yourself

ESXi menu where ESXi Shell can be disabled. (Image: Reproduction/Sophos)


Andre Brandt states that administrators of ESXi systems or other hypervisors should follow all security practices recommended by providers tools such as using strong, unique passwords and multi-factor authentication whenever possible. In addition, Brandt states that ESXi Shell should be disabled whenever no one is using it for routine maintenance, for example, when installing patches.

To help defend against ransomware and attacks related cybernetics, Sophos further recommends the following practices:

  • Deploy layered protection: As more ransomware attacks begin to involve extortion, backups are still necessary but insufficient. First, the most important thing is to keep cybercriminals out or detect them quickly, before they do harm. Therefore, it is critical to use layered protection to block and detect intruders at every possible point;

  • Combine human experts and anti-ransomware technology:

    The key to stopping ransomware is defense-in-depth that combines dedicated anti-ransomware technology and human-led threat search. Technology provides the scale and automation an organization needs, while human specialists are better able to detect the tactics, techniques and procedures that indicate an attacker is trying to enter the environment. If organizations lack the in-house skills, they can get support from cybersecurity experts;

  • Monitor and respond to alerts: It is essential to ensure that the appropriate tools, processes and resources (people) are available to monitor, investigate and respond to threats seen in the environment. Ransomware attackers often time the attack during off-peak hours, on weekends or during the holidays, assuming that few people or no one is watching;

  • Set and Apply Strong Passwords

    : Strong passwords serve as one of the first lines of defense. Passwords must be unique or complex and never reused. This is easier to do with a password manager that can store team credentials;

  • Use authentication Multifactor (MFA):

    Even strong passwords can be compromised. Any form of multi-factor authentication is better than none at protecting access to critical resources such as email, remote management tools and network assets;

  • Block Accessible Services

    : It is critical to perform network scans and identify and block ports commonly used by VNC, RDP or other access tools remote. If a machine needs to be reached using a remote management tool, it is important to place the tool behind a VPN or zero-trust network access solution that uses multi-factor authentication as part of the login;

  • Practical segmentation and zero confidence: It is imperative to separate critical servers from each other and from workstations , putting them on separate VLANs while working towards a zero-trust network model;

  • Do offline backups of information and applications: Keeping your backups up to date, in addition to having an offline copy, ensures their recoverability;

  • Take inventory of assets and accounts. Unknown, unsecured and unpatched devices on the network increase the risk and create a situation where malicious activity can go unnoticed. It is vital to have a current inventory of all connected compute instances. Therefore, it is necessary to perform network scans, IaaS tools and physical scans to find and catalog and install endpoint protection software on any machine that does not have protection;
  • Ensure security products are configured correctly: Unsecured systems and devices are also vulnerable. It is important to ensure that security solutions are configured correctly and, where necessary, to validate and update security policies regularly. New security features are not always automatically enabled, so it is extremely important not to disable Tamper Protection or create broad detection exclusions as this will make an attacker’s job easier;

    • Active Directory Audit (AD)

      : Active Directory is a database that compiles information from all users on the corporate network. Performing regular audits on all accounts in AD ensures that none of them have more access than necessary. In addition, it is highly recommended to disable accounts for employees who are leaving the company;

    • Keep all systems up to date: Update Windows and other operating systems whenever possible. This also means verifying that patches are installed correctly and are in effect for critical systems such as Internet facing machines or domain controllers.

Did you like this article?

Subscribe your email on Canaltech to receive daily updates with the latest news from the world of technology.


Related Articles

Back to top button