Attackers used a script written in Python during a recent ransomware attack that lasted only three hours and encrypted all virtual disks on the hypervisor of the target’s virtual machine.
Andrew Brandt, senior researcher at global security company Sophos, said in a blog post that this resulted in all of the organization’s VMs being taken offline.
The ransom note was embedded in the script itself, he noted. A VMware ESXi server was running on the target.
The Python script embeds the text of the ransom note.
In contrast to other VMware products, ESXi runs on bare metal and contains its own kernel. Initially, it contained a Linux kernel for which it was known as ESX, but development stopped at version 4.1. corresponding Wikipedia.
ESXi does not have a Linux kernel; Its microkernel has three interfaces: hardware, guest systems and the service console.
If ransomware were to infect VMs on an ESXi system, it could spread to Windows computers in the same network, since ESXi is often connected to Active Directory.
Brandt said the attackers gained access to a TeamViewer account that had no MFA set up on a PC where the user had domain admin credentials on the target network.
The script embeds the file suffix (ext) and email addresses (mail, mail2) appended to encrypted files as variables to be used to contact the attacker for payment of the ransom.
Login came half an hour past midnight and 10 minutes later a tool called Advanced IP Scanner was downloaded to identify other destinations on the network.
At 2 a.m., an SSH client called Bitvise was downloaded and used to log into the VMware ESXi server. ESXi has a built-in SSH server called ESXi Shell. this is disabled by default, but in this case it was enabled rather than disabled.
The script used was only 6 KB, and Brandt was impressed with what it could fit into such a small space.
“The script is only 6K in length and the small size of the script belies its capabilities,” he wrote. “The script contains variables that the attacker can configure with multiple encryption keys and e-mail addresses, and in which he can customize the file suffix that is appended to encrypted files.”
Encryption keys are generated during operation. “One thing that we noticed while stepping through the code was the presence of multiple hard-coded encryption keys and a routine to generate even more encryption key pairs,” noted Brandt.
ESXi administration tools can enable or disable the ESXi Shell either within the tool or locally on the console connected to the server. The shell is set to “Stopped” by default.
“Normally, an attacker would only have to embed the ‘public key’ that the attacker generated on their own computer and that is used to encrypt files on the target computer (s). But this ransomware seems to create a unique key every time. “It is driven.”
There were three data stores in this attack, so three unique key pairs were generated.
Brandt pointed out that while malware running on a system like ESXi was rare, it was even more rare for detection tools to be installed on such endpoints.
“Hypervisors in general are often quite attractive targets for this type of attack because the VMs they host may be performing business-critical services or functions,” he said.
The use of the ESXi shell could either be switched on or off via a physical console or via the normal management tools from VMware, Brandt said.
“Administrators should only keep the shell active while personnel are in use and disable it once maintenance (such as installing patches) is complete,” he added.
Screenshots courtesy of Sophos
INTRODUCING ITWIRE TV
iTWire TV brings unique value to the tech sector by providing a range of video interviews, news, views and reviews, and also gives vendors the opportunity to promote your business and marketing messages.
We’ll work with you to develop the message and conduct the interview or product review in a safe and collaborative manner. In contrast to other tech YouTube channels, we create a story around your message and publish it on the ITWire homepage by linking to your message.
In addition, your interview post message can be displayed in up to 7 different post ads on our website iTWire.com to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your company.
We also offer 3 videos in one recording / session if you wish so that you have a range of videos to promote to your clients. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.
See the latest in tech news, views, interviews, reviews, product promos and events. Plus funny videos from our readers and customers.
SEE WHAT’S ON ITWIRE TV NOW!