Sophos researchers discover new Python ransomware targeting ESXi server and virtual machines in lightning-fast attack

OXFORD, United Kingdom, 05 October 2021 (GLOBE NEWSWIRE) – Sophos, a global leader in next-generation cybersecurity, has released details of new ransomware written in Python that attackers are using to compromise and encrypt virtual machines hosted on an ESXi hypervisor. The report, “Python Ransomware script targets ESXi server for encryptionDetails a sniper-like operation that took less than three hours to go from breach to encryption.

“This is one of the fastest ransomware attacks Sophos has ever investigated and it appears to target the ESXi platform with precision,” said Andrew Brandt, senior researcher at Sophos. “Python is a coding language that is not commonly used for ransomware. However, Python is pre-installed on Linux-based systems such as ESXi, which makes Python-based attacks possible on these systems. ESXi servers represent an attractive target for ransomware threat actors, as they can attack multiple virtual machines at a time, where each of the virtual machines could run critical business applications or services. Attacks on hypervisors can be both rapid and very disruptive. Ransomware operators, including Dark side and the evil targeted ESXi servers in attacks.

Timeline of the attack

Sophos investigation revealed that the attack began at 12:30 a.m. on a Sunday, when ransomware operators broke into a TeamViewer account running on a computer owned by a user who also had administrator credentials. domain.

According to investigators, 10 minutes later, the attackers used the Advanced IP Scanner tool to search for targets on the network. Investigators believe the ESXi server on the network was vulnerable because it had an active Shell, a programming interface that IT teams use for commands and updates. This allowed the attackers to install a secure network communication tool called Bitvise on the machine owned by the domain administrator, which gave them remote access to the ESXi system, including the virtual disk files used by them. virtual machines. At around 3:40 a.m., the attackers deployed the ransomware and encrypted these virtual hard drives hosted on the ESXi server.

security Council

“Administrators who operate ESXi or other hypervisors on their networks should follow security best practices. This includes using unique, hard-to-force passwords and enforcing multi-factor authentication where possible, ”said Brandt. “The ESXi Shell can and should be turned off whenever it is not in use by personnel for routine maintenance, for example, when installing patches. The IT team can do this either by using commands on the server console or through the software management tools provided by the vendor.

Sophos end products, such as Intercept X, protect users by detecting the actions and behaviors of ransomware and other attacks. The act of attempting to encrypt files is blocked by the CryptoGuard feature. Security tips specific to ESXi hypervisors are available in line.

Sophos further recommends the following standard best practices to help defend against ransomware and related cyber attacks:

At a strategic level

  • Deploy layered protection. As more and more ransomware attacks begin to involve extortion, backups are still needed, but insufficient. It’s more important than ever to ward off opponents or detect them early, before they cause damage. Use layered protection to block and detect attackers at as many points as possible in a domain

  • Combine human experts with anti-ransomware technology. The key to stopping ransomware is defense in depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation that an organization needs, while human experts are best able to detect revealing tactics, techniques and procedures that indicate an attacker is attempting to enter the environment. If organizations don’t have the skills in-house, they can turn to cybersecurity specialists

At the daily tactical level

  • Monitor and respond to alerts. Ensure that the appropriate tools, processes, and resources (people) are available to monitor, investigate, and respond to threats observed in the environment. Ransomware attackers often schedule their strike during off-peak hours, weekends, or holidays, assuming little or no staff are monitoring

  • Set and enforce strong passwords. Strong passwords are one of the first lines of defense. Passwords should be unique or complex and never be reused. This is easier to achieve with a password manager that can store staff credentials.

  • Use multi-factor authentication (MFA). Even strong passwords can be compromised. Any form of multi-factor authentication is better than none at securing access to critical resources such as email, remote management tools, and network assets

  • Lock accessible services. Perform outside network scans and identify and lock down ports commonly used by VNC, RDP, or other remote access tools. If a machine needs to be accessed using a remote management tool, place that tool behind a VPN or zero-trust network access solution that uses MFA as part of its connection.

  • Practice segmentation and zero trust. Separate critical servers from each other and from workstations by placing them in separate VLANs when you work towards a zero trust network model

  • Perform offline backups of information and applications. Keep backups up to date, ensure their recoverability and keep a copy offline

  • Inventory your assets and accounts. Unknown, unprotected, and unpatched devices on the network increase risk and create a situation where malicious activity could go unnoticed. It is essential to have an up-to-date inventory of all connected compute instances. Use network scans, IaaS tools, and physical controls to locate and catalog them, and install endpoint protection software on all unprotected machines

  • Make sure the security products are configured correctly. Under-protected systems and devices are also vulnerable. It is important to make sure that the security solutions are correctly configured and to check and, if necessary, to validate and update the security policies regularly. New security features are not always activated automatically. Do not disable tamper protection and do not create extended detection exclusions, as this will make an attacker’s job easier

  • Audit Active Directory (AD). Perform regular audits on all accounts in AD, making sure none have more access than is necessary for their purpose. Deactivate accounts for employees who leave as soon as they leave the company

  • Patch everything. Keep Windows and other operating systems and software up to date. It also means double checking that the fixes were installed correctly and are in place for critical systems such as machines connected to the Internet or domain controllers.

To learn more, please read the Python ransomware article at SophosLabs Uncut.

Additional resources

  • Tactics, Techniques and Procedures (TTPs) and more for different types of threats are available at SophosLab uncut, which provides the latest threat intelligence from Sophos

  • Information on attacker behavior, incident reports and tips for security operations professionals are available at Sophos SecOps news

  • Learn more about Sophos Quick response service which contains, neutralizes and investigates attacks 24/7

  • The top four tips for respond to a security incident from Sophos Rapid Response and the Managed Threat Response Team

  • Read the latest security news and advisories on the award-winning Sophos news site Bare security and on Sophos News

About Sophos
Sophos is a global leader in next-generation cybersecurity, protecting more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyber threats. Leveraging threat intelligence, AI and machine learning from SophosLabs and SophosAIs, Sophos offers a wide range of advanced products and services to secure users, networks and endpoints against ransomware, software malware, exploits, phishing, and the wide array of other cyberattacks. Sophos provides a single integrated cloud management console, Sophos Central – the centerpiece of an adaptive cybersecurity ecosystem that includes a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers and other vendors cybersecurity. Sophos sells its products and services through reseller partners and Managed Service Providers (MSPs) around the world. Sophos is headquartered in Oxford, UK. More information is available at

CONTACT: Contact Info: Samantha Powers [email protected]

Source link

Previous Pro Sports Global Mobility Company, The Dingman Group, Ranked Among Fastest Growing Five Percent Of U.S. Private Companies
Next The agent was finally taken off the Rockstar website more than a decade after the PS3 was announced