CM – New Python-based ransomware attacks unfold in record time

0

Threat researchers at Sophos have identified a new strain of unusually fast-acting ransomware in the Python programming language that targets VMware ESXi servers and virtual machines (VMs) and could pose a significant threat to many environments that could be security teams, such as: be less attentive to various reasons.

While many cybercriminals spend a lot of time navigating their victims’ systems undetected before using ransomware, the operators of this particular breed of « ultra-fast », « sniper-like » attacks are stretching for hours.

« This is one of the fastest ransomware attacks Sophos has ever investigated, and it seemed to target precisely the ESXi platform, » said Andrew Brandt, senior researcher at Sophos who did one Investigated incident where only three hours passed between security breach and encryption. .

“Python is a programming language that is not normally used for ransomware. However, Python is preinstalled on Linux-based systems like ESXi, which enables Python-based attacks on such systems, « he said.

 » ESXi servers are an attractive target for ransomware threat actors because they can run multiple virtual machines at the same time attack, with any of the virtual machines running business-critical applications or services. Attacks on hypervisors can be both rapid and highly disruptive. Ransomware operators like DarkSide and REvil have attacked ESXi servers, « added Brandt.

In the case investigated, the attack began on a Sunday morning at half past midnight when the ransomware operator gained access to a TeamViewer account the system of a user with domain admin rights and credentials.

Within 10 minutes, according to Sophos, the attacker used the Advanced IP Scanner tool to spy on targets by tracking down an ESXi server that was running in This case was probably vulnerable because it had an active shell programming interface.

Then they installed the secure network communication tool Bitvise on the administrator’s computer, which gave them access to the ESXi system including the virtual hard disk files of the VMs. At 3:40 a.m., the ransomware was deployed and the files encrypted.

Brandt said that in this particular case, the attacker had a certain amount of luck, as the shell interface on the target server was used by the Victim’s IT team had been activated and deactivated multiple times, and was likely left inadvertently activated, which makes the attack much easier.

While ransomware running on Linux-like operating systems, such as that used by ESXi, pretty much is rare, those who take the time to develop them are more likely to hit the jackpot as security teams often protect such systems a little less adequately. .

“Administrators running ESXi or other hypervisors on their networks should follow security best practices. This includes using unique, hard-to-enforce passwords and enforcing the use of multi-factor authentication wherever possible, « said Brandt.

 » The ESXi Shell can and should be disabled when not by Employees for routine maintenance work – for example during the installation of patches. The IT team can do this using either controls on the server console or through software management tools provided by the vendor. « 

Further details on the ransomware affected, including some notable tactics, techniques and procedures (TTPs), can be obtained from Sophos, while VMware’s guide to protecting ESXi hypervisors can be found here.

The transition to a hybrid work model poses a number of challenges for companies. This is how IT managers can help overcome obstacles …

Companies are redefining their digitization strategies in the wake of the pandemic. For CIOs, this means …

Facebook’s global security chief defended the company’s platforms after internal investigations revealed that Facebook and Instagram …

A coordinated international law enforcement operation resulted in the arrest by two suspected ransomware operators, although the …

applications remain a leading cause of external data breaches. Follow these five principles to achieve the application security program …

The Ghidra malware analysis tool helps infosec beginners to learn reverse engineering quickly. Get help setting up a test …

FCC Commissioner Nathan Simington said satellite wireless broadband should be available in remote areas where fiber is not available.

Teams can check network status before and after Review network changes to ensure the changes deploy smoothly. Automating these pros …

Most organizations are slow to implement new techniques, including white box networking. Experts explain why and offer advice on how …

Free open source AlmaLinux, Rocky Linux and VzLinux are clones of the popular CentOS Linux distribution that are rolling at a …

Use the diff Command in Linux to detect subtle differences between code files. Then use the patch command to update this code …

To design a green, sustainable data center, consider ways to improve energy conservation and efficiency. Then look into the green …

The data platform provider wants to enable companies to transfer data from different data sources with a new …

The open source database has expanded its JSON support for unstructured data and improved their stored procedure capabilities to …

HPE uses several open source technologies including Kubernetes, Apache Spark and Delta Lake to develop new data structures …

All rights reserved,
Copyright 2000-2021, TechTarget
Privacy Policy

Cookie settings

Don’t sell my personal information

Keywords:

Ransomware,Hypervisor,VMware ESXi,Virtual machine,Python,Cyberattack,Computer security,Encryption,Sophos,Computer,Ransomware, Hypervisor, VMware ESXi, Virtual machine, Python, Cyberattack, Computer security, Encryption, Sophos, Computer,,,,Cyber,cyber2021,cybersecurity,EXSI,hacking,Python,ransomware,security,Sophos,,,,,

Donnez votre avis et abonnez-vous pour plus d’infos

[gs-fb-comments]

[comment]

[supsystic-newsletter-form id=4]

Vidéo du jour: