{"id":3339,"date":"2021-10-06T13:32:08","date_gmt":"2021-10-06T08:02:08","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=3339"},"modified":"2021-10-06T13:32:10","modified_gmt":"2021-10-06T08:02:10","slug":"vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/","title":{"rendered":"VMware ESXi Servers encrypt by a Ransomware Group using Python Script"},"content":{"rendered":"\n<p><p style=\"text-align: justify;\">The operators of an unknown ransomware gang are utilizing a Python script to encrypt the virtual machines hosted on VMware ESXi servers. While the Python programming language is not usually utilized in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">As the security researchers founded while researching a ransomware incident, a Python ransomware script was utilized to encode a victim\u2019s virtual machines running on a vulnerable ESXi hypervisor within three houses of the initial breach.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">\u201cA currently-concluded research into a ransomware attack revealed that the threat actors executed a custom Python script in the target\u2019s virtual machine hypervisor to encrypt all the virtual disks, taking the organization\u2019s VMs offline.\u201d<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">\u201cIn what was one of the quickest attacks researchers has investigated, from the time of the first negotiation until the set up of the ransomware script, the threat actors only spent just over three hours on the target\u2019s network before encrypting the virtual disks in a VMware ESXi server.\u201d<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>VMs Encoded utilizing a 6KB Script<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">In the mid of the night, the threat actors hijacked the victim\u2019s network over the weekend by logging into a TeamViewer account running on a device with a domain admin logged on.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Once in, they initiated searching the network for additional targets by utilizing Advanced IP Scanner and logged onto an ESXi server via the built-in SSH ESXi service, which was incidentally left toggled on by the IT staff (even though it\u2019s disabled by default.)<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">The ransomware operators then run a 6kb Python script to encode all the virtual machines\u2019 virtual disk and VM setting files. The script moderately recovered encryption keys and email addresses and customize the file suffix for the encoded files.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">It works by closing down the virtual machines, overwriting the original files stored on the datastore volumes, then removing them to block recovery attempts and leaving the encoded files behind.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">&#8220;Administrators who operate ESXi or other hypervisors on their networks should follow security best practices, avoiding password reuse, and using complex, difficult to brute-force passwords of adequate length,&#8221; Brandt recommended. &#8220;Wherever possible, enable the use of multi-factor authentication and enforce the use of MFA for accounts with high permissions, such as domain administrators.&#8221;<\/p><\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"279\" height=\"180\" src=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/VMware-ESXi-Servers-encrypt-by-a-Ransomware-Group-using-Python-Script-image1.jpg\" alt=\"VMware-ESXi-Servers-encrypt-by-a-Ransomware-Group-using-Python-Script-image1\" class=\"wp-image-3341\"\/><\/figure><\/div>\n\n\n\n<p><p style=\"text-align: justify;\">VMware also provides advice on securing ESXi servers by limiting the risk of unauthorized access and the attack surface on the hypervisor itself.&nbsp; &nbsp;&nbsp;<\/p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Why are VMware ESXi servers under attack?<\/strong><\/h2>\n\n\n\n<p><p style=\"text-align: justify;\">Attacking ESXi servers is a highly disruptive tactic for ransomware groups since most of them run multiple virtual machines simultaneously, with business-critical services and apps deployed on many of them.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Multiple ransomware gangs, including Darkside, RansomExx, and Babuk Locker, have exploited VMWare ESXi pre-auth RCE bugs to encrypt virtual hard disks used as centralized enterprise storage space.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">This is not the first incident where Python-based malicious tools have been used to target Internet-exposed VMware servers.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">In June, researchers spotted the multi-platform Python-based FreakOut malware targeting Windows and Linux devices upgraded to worm it&#8217;s way onto VMware vCenter servers unpatched against a critical RCE bug in all default installs.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">FreakOut refers to an obfuscated Python script created to avoid detection with the help of a polymorphic engine and a user-mode rootkit that protects malicious files dropped on infected systems.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">Linux versions of HelloKitty and BlackMatter ransomware were also detected in the wild in July and August, both of them targeting purposes VMware&#8217;s ESXi virtual machine platform.<\/p><\/p>\n\n\n\n<p><p style=\"text-align: justify;\">To make things even worse, with VMware ESXi being one of the most if not the most popular enterprise virtual machine platforms, almost every enterprise-targeting ransomware gang has started developing their encryptors designed to specifically target ESXi virtual machines.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The operators of an unknown ransomware gang are utilizing a Python script to encrypt the virtual machines hosted on VMware ESXi servers. While the Python programming language is not usually utilized in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default. As the [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":3342,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.11 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>VMware ESXi Servers encrypt by a Ransomware Group using Python Script - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"VMware ESXi Servers encrypt by a Ransomware Group using Python Script - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"The operators of an unknown ransomware gang are utilizing a Python script to encrypt the virtual machines hosted on VMware ESXi servers. While the Python programming language is not usually utilized in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default. As the [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-06T08:02:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-06T08:02:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/VMware-ESXi-Servers-encrypt-by-a-Ransomware-Group-using-Python-Script-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"VMware ESXi Servers encrypt by a Ransomware Group using Python Script\",\"datePublished\":\"2021-10-06T08:02:08+00:00\",\"dateModified\":\"2021-10-06T08:02:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/\"},\"wordCount\":628,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Breaches\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/\",\"url\":\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/\",\"name\":\"VMware ESXi Servers encrypt by a Ransomware Group using Python Script - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-10-06T08:02:08+00:00\",\"dateModified\":\"2021-10-06T08:02:10+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"VMware ESXi Servers encrypt by a Ransomware Group using Python Script\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"VMware ESXi Servers encrypt by a Ransomware Group using Python Script - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/","og_locale":"en_US","og_type":"article","og_title":"VMware ESXi Servers encrypt by a Ransomware Group using Python Script - Xiarch Solutions Private Limited","og_description":"The operators of an unknown ransomware gang are utilizing a Python script to encrypt the virtual machines hosted on VMware ESXi servers. While the Python programming language is not usually utilized in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default. As the [&hellip;]","og_url":"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-10-06T08:02:08+00:00","article_modified_time":"2021-10-06T08:02:10+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/10\/VMware-ESXi-Servers-encrypt-by-a-Ransomware-Group-using-Python-Script-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"VMware ESXi Servers encrypt by a Ransomware Group using Python Script","datePublished":"2021-10-06T08:02:08+00:00","dateModified":"2021-10-06T08:02:10+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/"},"wordCount":628,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Breaches"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/","url":"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/","name":"VMware ESXi Servers encrypt by a Ransomware Group using Python Script - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-10-06T08:02:08+00:00","dateModified":"2021-10-06T08:02:10+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/vmware-esxi-servers-encrypt-by-a-ransomware-group-using-python-script\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"VMware ESXi Servers encrypt by a Ransomware Group using Python Script"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3339"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=3339"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3339\/revisions"}],"predecessor-version":[{"id":3343,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/3339\/revisions\/3343"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/3342"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=3339"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=3339"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=3339"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}