The operators of an unknown ransomware gang are utilizing a Python script to encrypt the virtual machines hosted on VMware ESXi servers. While the Python programming language is not usually utilized in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default.
As the security researchers founded while researching a ransomware incident, a Python ransomware script was utilized to encode a victim’s virtual machines running on a vulnerable ESXi hypervisor within three houses of the initial breach.
“A currently-concluded research into a ransomware attack revealed that the threat actors executed a custom Python script in the target’s virtual machine hypervisor to encrypt all the virtual disks, taking the organization’s VMs offline.”
“In what was one of the quickest attacks researchers has investigated, from the time of the first negotiation until the set up of the ransomware script, the threat actors only spent just over three hours on the target’s network before encrypting the virtual disks in a VMware ESXi server.”
VMs Encoded utilizing a 6KB Script
In the mid of the night, the threat actors hijacked the victim’s network over the weekend by logging into a TeamViewer account running on a device with a domain admin logged on.
Once in, they initiated searching the network for additional targets by utilizing Advanced IP Scanner and logged onto an ESXi server via the built-in SSH ESXi service, which was incidentally left toggled on by the IT staff (even though it’s disabled by default.)
The ransomware operators then run a 6kb Python script to encode all the virtual machines’ virtual disk and VM setting files. The script moderately recovered encryption keys and email addresses and customize the file suffix for the encoded files.
It works by closing down the virtual machines, overwriting the original files stored on the datastore volumes, then removing them to block recovery attempts and leaving the encoded files behind.
“Administrators who operate ESXi or other hypervisors on their networks should follow security best practices, avoiding password reuse, and using complex, difficult to brute-force passwords of adequate length,” Brandt recommended. “Wherever possible, enable the use of multi-factor authentication and enforce the use of MFA for accounts with high permissions, such as domain administrators.”
VMware also provides advice on securing ESXi servers by limiting the risk of unauthorized access and the attack surface on the hypervisor itself.
Why are VMware ESXi servers under attack?
Attacking ESXi servers is a highly disruptive tactic for ransomware groups since most of them run multiple virtual machines simultaneously, with business-critical services and apps deployed on many of them.
Multiple ransomware gangs, including Darkside, RansomExx, and Babuk Locker, have exploited VMWare ESXi pre-auth RCE bugs to encrypt virtual hard disks used as centralized enterprise storage space.
This is not the first incident where Python-based malicious tools have been used to target Internet-exposed VMware servers.
In June, researchers spotted the multi-platform Python-based FreakOut malware targeting Windows and Linux devices upgraded to worm it’s way onto VMware vCenter servers unpatched against a critical RCE bug in all default installs.
FreakOut refers to an obfuscated Python script created to avoid detection with the help of a polymorphic engine and a user-mode rootkit that protects malicious files dropped on infected systems.
Linux versions of HelloKitty and BlackMatter ransomware were also detected in the wild in July and August, both of them targeting purposes VMware’s ESXi virtual machine platform.
To make things even worse, with VMware ESXi being one of the most if not the most popular enterprise virtual machine platforms, almost every enterprise-targeting ransomware gang has started developing their encryptors designed to specifically target ESXi virtual machines.
