New Python ransomware aims for VMs hosted on ESXi hypervisor

Get a free Techzine subscription!

Sophos Group researchers released details concerning new ransomware written in Python that attackers deploy to compromise and encrypt virtual machines hosted on an VMware ESXi hypervisor.

The ransomware attack was first discovered at 12:30 am on Sunday when those behind the attack breached into a TeamViewer account run on a computer belonging to a user who also had domain admin access credentials. Ten minutes later, the attackers used the Advanced IP Scanner tool to look for weak links in the network.

The fastest they have ever seen

The researchers believe the VMware ESXi Server on the network was vulnerable because it had an active Shell programming interface typically used for updates and commands. The actions allowed the attackers to install a secure network communications tool known as Bitvise on the machine of the domain admin.

That tool gave the attackers remote access to the ESXi systems, including the virtual disk files used by the VMs.

By 3:40 am, the attackers deployed the ransomware and encrypted the virtual hard drives hosted on the ESXi server. Andrew Brandt, a principal researcher at Sophos, said that this was one of the fastest ransomware attacks the researchers have ever investigated.

There is a Python in the system

The programming language is seldomly used for making ransomware. However, it is pre-installed on Linux-based systems like ESXi, making Python-based attacks in such systems possible.

Brandt further noted that ESXi servers present an attractive target for ransomware threat actors since they can go after multiple VMS at once. Given that the VMs could be running different but interdependent business-critical apps or services, the fallout could be devastating.

The researchers reiterated something we have heard too much of in recent months; follow security best practices. However, that does not seem to hold back the tide of ransomware attacks.