Ransomware group is using Python to attack VMware ESXi servers

It has been discovered that an unknown ransomware is using Python scripts to encrypt virtual machines hosted on VMware ESXi servers.

Python is not often used for ransomware development, but it is a good language for ESXi systems, as Linux-based servers have Python installed by default.

According to facts discovered by Sophos researchers, Python ransomware scripts were used to encrypt victims’ virtual machines running on vulnerable ESXi hypervisors within three hours of the initial intrusion.

In a recent investigation of a ransomware attack, it was discovered that the attacker had run a custom Python script on the hypervisor of the target virtual machine to encrypt all virtual disks and take the organization’s virtual machine The attacker was found to have taken the organization’s virtual machines offline.

In one of the quickest attacks investigated by Sophos, from the initial breach to the deployment of the ransomware script, the attackers spent just over three hours on the target’s network, encrypting the VMware ESXi server’s virtual disks were encrypted.

Encrypted using a 6kb script

The attacker infiltrated the victim’s network by logging into a TeamViewer account running on a device logged on by the domain administrator.

After the intrusion, we used the Advanced IP Scanner to locate the target on the network and logged into the ESXi server using the built-in SSH ESXi Shell service. This SSH ESXi Shell service was accidentally left on (even though it is disabled by default) by IT staff.

The ransomware then executed a 6kb Python script that encrypted the virtual disks and VM configuration files of all virtual machines.

This script, which was partially recovered during the investigation of the incident, allows the ransomware to use multiple encryption keys and email addresses, and to customize the suffix of encrypted files.

This seems to be programmed to shut down the virtual machine, overwrite the original files stored on the datastore volume, then delete and leave the encrypted files to thwart any recovery attempts.

Administrators running ESXi and other hypervisors should follow security best practices, avoid password reuse, and use passwords of appropriate length that are complex and difficult to brute-force.

Whenever possible, enable the use of multi-factor authentication and use MFA for accounts with high privileges, such as domain administrators

VMware also offers advice on securing ESXi servers by limiting the risk of unauthorized access and the attack surface of the hypervisor itself.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-E 9B71B85-FBA3-447C-8A60-DEE2AE1A405A.html

VMware ESXi server under attack

Attacking ESXi servers is a very effective tactic for ransomware groups because most ESXi servers run multiple virtual machines simultaneously, and business-critical services and applications are deployed on many virtual machines.

Multiple ransomware groups, including Darkside, RansomExx, and Babuk Locker, are exploiting a pre-authentication RCE vulnerability in VMWare ESXi to encrypt and attack virtual hard drives used as centralized enterprise storage space.

This is not the first time that a Python-based tool has been used to target VMware servers that are publicly available on the Internet; in June 2021, the Python-based malware FreakOut was found to be running on multiple platforms targeting Windows and Linux. platforms and was found to have been upgraded to infiltrate VMware vCenter servers that were unpatched for a critical RCE vulnerability installed by default.

FreakOut is an obfuscated Python script designed to evade detection using a polymorphic engine and a user-mode rootkit that hides malicious files dropped on infected systems.

In July and August, Linux versions of HelloKitty and BlackMatter ransomware were also identified, both targeting VMware’s ESXi virtual machine platform.

Because VMware ESXi is one of the most popular virtual machine platforms in the enterprise, nearly all of the ransomware targeting enterprises has begun to develop cryptographic devices designed specifically for ESXi virtual machines.