Ransomware is one of the most frightening forms of malware faced by enterprises today and it is now coming after your hypervisors. CrowdStrike recently reported two new ransomware strains infiltrating VMware ESXi devices.
- In H2 2020, groups Sprite Spider and Carbon Spider deployed Linux versions of Defray777 and Darkside, respectively, targeting VMware hypervisors.
- According to some experts, the attackers abused two vulnerabilities in VMware ESXi, tracked as CVE-2019-5544 and CVE-2020-3992.
- Compromised hypervisors helped adversaries quickly increase the scope of affected systems within the victim environment; thus, adding pressure on victims for a quick payout.
- CrowdStrike labeled the technique as Hypervisor Jackpotting.
It should be noted that ESXi is not a Linux operating system; however, developers can run some Linux-compiled ELF binaries within the ESXi command shell.
Ransomware attacks on virtual machines aren’t new
- In October 2020, RegretLocker sported advanced techniques enabling actors to encrypt virtual hard drives and close open files to encrypt them. They used OpenVirtualDisk, AttachVirtualDisk, and GetVirtualDiskPhysicalPath functions to mount virtual disks for encryption.
- The now-defunct Maze actors were also observed, last year, adopting techniques to distribute file-encrypting payloads on the virtual hard drive running Windows 7.
- In May 2020, the RagnarLocker group was spotted running Oracle VirtualBox to attack a victim inside a Windows XP virtual machine while hiding its presence.
Secure it now
The operational flexibility offered by hypervisors calls for the attention of security teams to exceptionally secure the infrastructure to avoid any mishap. Securing a VM really isn’t all that different from securing a physical server. Besides all of the standard best practices, such as keeping the OS and applications up to date with the latest patches, using strong passwords, running anti-malware software, it’s a good idea to check your hypervisor vendor’s security recommendations.