News

Special Python script encrypts VMware ESXi servers

Photo of Daniel Zimmermann Daniel ZimmermannOctober 6, 2021
0 256 1 minute read

Unknown ransomware uses a Python script to encrypt virtual machines on VMware ESXi servers, Sophos researchers warn.

Although regular Python is almost never used in the development of ransomware, it is a perfectly logical choice for ESXi, since such Linux-based servers usually come with Python installed by default.

A recently completed ransomware investigation revealed that attackers executed a special Python script on the victim’s virtual machine hypervisor to encrypt all virtual disks and disable the organization’s virtual machines.the analysts said.

It is noted that this was one of the fastest attacks investigated by Sophos: it took about three hours from the moment of the hack to the deployment of the ransomware script.

The attackers compromised the victim’s network on a weekend night by logging into the TeamViewer account running on the device with domain administrator rights. Once they got online, the hackers started looking for additional targets with Advanced IP Scanner and logged into the ESXi server through the built-in ESXi Shell SSH service, which was accidentally left enabled (disabled by default). Then the ransomware operators executed a 6Kb script written in Python to encrypt the virtual disks and configuration files of all virtual machines.

Ransomware note from cybercriminals
Ransomware note from cybercriminals

Bleeping Computer notes that this is not the first time an attack on ESXi servers has occurred.

Attacking ESXi servers is a very destructive tactic for ransomware groups as most of them run multiple virtual machines at the same time, many of which have business-critical services and applications deployed. Multiple ransomware gangs, including Darkside, RansomExx and Babuk Locker, have exploited RCE pre-authorization failures in VMWare ESXi to encrypt virtual hard disks used as centralized corporate storage.journalists of Bleeping Computer say.
This is also not the first time malware written in Python has been used against VMware servers. For example, this summer, Cisco Talos researchers discovered that FreakOut malware, written in Python and typically targeting Windows and Linux devices, was updated to attack VMware vCenter servers and exploited an RCE vulnerability.

Let me remind you that we also said that Spammers flooded the PyPI repository with links to pirated movies.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Tags
Photo of Daniel Zimmermann Daniel ZimmermannOctober 6, 2021
0 256 1 minute read
Photo of Daniel Zimmermann

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

AMD Zen 3 processors vulnerable

AMD Zen 3 processors are vulnerable to side-channel attacks

April 5, 2021
MontysThree Malware attacks enterprises

MontysThree malware attacks industrial enterprises

October 8, 2020
Vietnamese government hackers Bismuth

Microsoft linked Vietnamese government hackers Bismuth to mining campaigns

December 1, 2020

Google Chrome will block download of certain files with HTTP-protocol

April 11, 2019

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2024, All Rights Reserved  | Adware.Guru;
Back to top button