Attackers used a script written in Python during a recent ransomware attack that took only three hours, encrypting all virtual disks on the target’s virtual machine hypervisor.
Andrew Brandt, senior researcher at global security firm Sophos, said in a blog post that this has taken all virtual machines in the organization offline.
The ransom note was built into the script itself, he noted. The target was running the VMware ESXi server.
The Python script embeds the text of the ransom note.
ESXi runs on bare metal unlike other VMware products and includes its own kernel. Initially it included a Linux kernel, at that time it was known as ESX, but development was stopped at version 4.1, according to Wikipedia.
ESXi does not have a Linux kernel; its microkernel has three interfaces: hardware, guest systems, and the service console.
If ransomware infects virtual machines on an ESXi system, it could spread to Windows machines on the same network, as ESXi is often connected to Active Directory.
Brandt said the attackers managed to gain entry by logging into a TeamViewer account, which did not have an MFA configured, on a PC where the user had domain administrator credentials on the target network.
The script embeds the file suffix it appends to the encrypted files (ext) and the email addresses (mail, mail2) to use to contact the attacker for ransom payment as variables.
The connection took place half an hour after midnight and a tool called Advanced IP Scanner was downloaded 10 minutes later to identify other targets on the network.
At 2 a.m., an SSH client called Bitvise was downloaded and used to connect to the VMware ESXi server. ESXi has a built-in SSH server called the ESXi Shell; this is disabled by default but in this case it has been enabled and not disabled.
The script used was only 6KB and Brandt was impressed with how much it could fit in that small space.
“Only 6KB long, the small size of the script belies its capabilities,” he wrote. “The script contains variables that the attacker can configure with multiple encryption keys, email addresses, and where he can customize the file suffix that is added to encrypted files.”
Encryption keys are generated on the fly. “One thing we noticed while going through the code was the presence of several hard-coded encryption keys, as well as a routine to generate even more encryption key pairs,” noted Brandt.
ESXi management tools can enable or disable the ESXi Shell from the tool or locally on the console connected to the server. The shell defaults to “Stopped”.
“Normally, an attacker would only need to embed the ‘public key’ that the attacker generated on his own machine and which would be used to encrypt files on the targeted computer (s). But this ransomware seems to create a unique key each time it’s executed. “
In the case of this attack, there were three data stores, so three unique key pairs were generated.
Brandt pointed out that while malware running on a system like ESXi was rare, it was even rarer for detection tools to be installed on such endpoints.
“Hypervisors, in general, are often very attractive targets for this type of attack because the virtual machines they host can perform business-critical services or functions,” he said.
The use of ESXi Shell can be enabled or disabled from a physical console or through normal management tools provided by VMware, Brandt said.
“Administrators should only allow the Shell to be active during staff use, and should turn it off as soon as maintenance (such as installing patches) is complete,” he added.
Screenshots courtesy of Sophos
INTRODUCING ITWIRE TV
iTWire TV offers unique value to the tech industry by providing a range of video interviews, news, views and reviews, and also provides the ability for vendors to promote your business and marketing messages.
We work with you to develop the message and conduct the product interview or review in a safe and collaborative manner. Unlike other YouTube Tech channels, we create a story around your post and post it on the ITWire homepage, linked to your post.
Additionally, your interview post message can be displayed in up to 7 different post views on our iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.
We also provide 3 videos in one recording / session if you need them so that you have a series of videos to promote to your clients. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.
Get the latest tech news, views, interviews, reviews, product promotions and events. Plus fun videos from our readers and customers.
SEE WHAT’S ON ITWIRE TV NOW!