Special Python script encrypts VMware ESXi servers

Unknown ransomware uses a Python script to encrypt virtual machines on VMware ESXi servers, Sophos researchers warn.

Although regular Python is almost never used in the development of ransomware, it is a perfectly logical choice for ESXi, since such Linux-based servers usually come with Python installed by default.

A recently completed ransomware investigation revealed that attackers executed a special Python script on the victim’s virtual machine hypervisor to encrypt all virtual disks and disable the organization’s virtual machines.<span class="su-quote-cite">the analysts said.</span>

It is noted that this was one of the fastest attacks investigated by Sophos: it took about three hours from the moment of the hack to the deployment of the ransomware script.

The attackers compromised the victim’s network on a weekend night by logging into the TeamViewer account running on the device with domain administrator rights. Once they got online, the hackers started looking for additional targets with Advanced IP Scanner and logged into the ESXi server through the built-in ESXi Shell SSH service, which was accidentally left enabled (disabled by default). Then the ransomware operators executed a 6Kb script written in Python to encrypt the virtual disks and configuration files of all virtual machines.

Ransomware note from cybercriminals
Ransomware note from cybercriminals

Bleeping Computer notes that this is not the first time an attack on ESXi servers has occurred.

Attacking ESXi servers is a very destructive tactic for ransomware groups as most of them run multiple virtual machines at the same time, many of which have business-critical services and applications deployed. Multiple ransomware gangs, including Darkside, RansomExx and Babuk Locker, have exploited RCE pre-authorization failures in VMWare ESXi to encrypt virtual hard disks used as centralized corporate storage.<span class="su-quote-cite">journalists of Bleeping Computer say.</span>
This is also not the first time malware written in Python has been used against VMware servers. For example, this summer, Cisco Talos researchers discovered that FreakOut malware, written in Python and typically targeting Windows and Linux devices, was updated to attack VMware vCenter servers and exploited an RCE vulnerability.

Let me remind you that we also said that Spammers flooded the PyPI repository with links to pirated movies.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button