Site icon News Azi

New Python-based ransomware attacks unfold in record time

Threat researchers at Sophos have identified a new strain of unusually fast-acting ransomware written in the Python programming language that has targeted VMware ESXi servers and virtual machines (VMs), which could present a significant threat to many environments that security teams may be, for various reasons, less attentive towards.

While many cyber criminal operations spend considerable lengths of time moving around undetected in their victims’ systems before deploying ransomware, the operators of this particular variety are conducting “ultra-high speed”, “sniper-like” attacks that unfold over a matter of hours.

“This is one of the fastest ransomware attacks Sophos has ever investigated, and it appeared to precision-target the ESXi platform,” said Andrew Brandt, principal researcher at Sophos, who investigated one such incident during which just three hours elapsed between breach and encryption.

“Python is a coding language not commonly used for ransomware. However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems,” he said.

“ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at once, where each of the virtual machines could be running business-critical applications or services. Attacks on hypervisors can be both fast and highly disruptive. Ransomware operators including DarkSide and REvil have targeted ESXi servers in attacks,” added Brandt.

In the investigated case, the attack began at half past midnight on a Sunday morning, when the ransomware operator obtained access to a TeamViewer account on the system of a user with domain admin rights and credentials.

Within 10 minutes, Sophos said, the attacker used the Advanced IP Scanner tool to sniff out targets, zeroing in on an ESXi server that, in this case, was likely vulnerable because it had an active shell programming interface.

They then installed the Bitvise secure network communications tool on the admin’s machine, which gave them access to the ESXi system, including the VMs’ virtual disk files. By 3:40 am, the ransomware had been deployed and files encrypted.

Brandt said that in this particular case there was a certain amount of luck on the part of the attacker, in that the shell interface on the target server had been enabled and disabled several times in the weeks leading up to the attack by the victim’s IT team, and was likely left enabled by accident, making the attack much easier to carry out.

While ransomware that runs on Linux-like operating systems such as that used by ESXi is quite uncommon, those who take the time to develop it may be more likely to hit the jackpot, as security teams are often somewhat less likely to protect such systems adequately.

“Administrators who operate ESXi or other hypervisors on their networks should follow security best practices. This includes using unique, difficult to brute-force passwords and enforcing the use of multi-factor authentication wherever possible,” said Brandt.

“The ESXi Shell can and should be disabled whenever it is not being used by staff for routine maintenance – for instance, during the installation of patches. The IT team can do this by either using controls on the server console or through the software management tools provided by the vendor.”

More details of the ransomware involved, including some noteworthy tactics, techniques and procedures (TTPs), are available from Sophos, while VMware’s guidance on protecting ESXi hypervisors can be found here.

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! NewsAzi is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – admin@newsazi.com. The content will be deleted within 24 hours.
Exit mobile version