According to researchers at Sophos, an unknown ransomware group used a python script to encrypt virtual machines hosted on VMware ESXi servers. The attack started with the group logging into a TeamViewer account running on a device with a domain admin logged on. Once in, they started searching the network for additional targets using an advanced IP scanner and logged onto an ESXi server via the built-in SSH ESXi Shell service, which was accidentally left on by the IT staff. The operators then executed a python script to encrypt all virtual machines’ virtual disk and VM setting files. The partially recovered script allows the operators to use multiple encryption keys and email addresses to customize the file suffix for the encrypted files. The script shut down the virtual machines, overwriting the original files stored on the datastore volumes, then deleted them to block recovery attempts and only left the encrypted files behind. The use of a python script by ransomware actors is not common, but since the ESXi servers are Linux based, they come with python already installed.
Analyst Notes
Administrators of ESXi servers should follow security best practices, including avoiding password re-use and using complex passwords. Wherever possible, Multi-Factor Authentication (MFA) should be enabled. Using a third-party app for MFA is highly recommended as opposed to SMS. Oftentimes, threat actors can steal MFA codes from SMS if they manage to gain access to the user’s mobile device.
VMware also provides advice on securing ESXi servers which can be found here: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-E9B71B85-FBA3-447C-8A60-DEE2AE1A405A.html
https://www.bleepingcomputer.com/news/security/ransomware-gang-encrypts-vmware-esxi-servers-with-python-script/
