• EN

Ransomware on ESXi

  • 29 December 2022
  • 6 comments
  • 183 views
regnor
Userlevel 7
Badge +14

I'm sure everyone has heard a story about ransomware attacking virtual machines from within ESXi. While I thought that those were rare, special cases, I was quite surprised when reading VMware's security blog.
One post mentions 15 different ransomware families, which 'support' VMware ESXi.

  • AvosLocker
  • Babuk
  • Black Basta
  • BlackCat
  • Cheerscrypt
  • Conti
  • DarkSide/BlackMatter
  • Defray777/RansomEXX
  • GwisinLocker
  • HelloKitty
  • Hive
  • Lockbit
  • Luna
  • RedAlert
  • REvil

Some of them were designed for ESXi, others are more generic and don't even shutdown the VMs before starting the encryption.
At the end they cause catastrophic damage and are hard to detect or stop.

Protect against ESXi ransomware

It seems that ransomware on ESXi hosts often will need to be executed manually.
So the primary goal will be to secure access to the ESXi hosts:

  • separate management and production network
  • lockdown ESXi shell/SSH
  • regularly patch ESXi hosts (some attacks were possible via unpatched vulnerabilites)
  • keep ESXi credentials secure
  • monitor for login attempts and unusual actions

Regular security solutions which run inside the VMs won't be any help against those attacks.
VMware recommends their NSX products, although I don't have much experience with them.
Storage snapshots could be handy, if the storage itself isn't compromised.
Finally, if all fails, a well-designed backup should be able to save the day.

For more information visit the corresponding VMware blog posts:

https://blogs.vmware.com/security/2022/09/esxi-targeting-ransomware-the-threats-that-are-after-your-virtual-machines-part-1.html

https://blogs.vmware.com/security/2022/10/esxi-targeting-ransomware-tactics-and-techniques-part-2.html

Max M. | Systems Engineer @Veeam | VMCE/VMCA | former Legend & Vanguard

6 comments

Chris.Childerhose
Userlevel 7
Badge +20

Very interesting reading Regnor.  Thanks for sharing this.

Chris Childerhose - VMCA2022 | VMCE2023 | Veeam Vanguard 7* | Veeam Legend 3* | vExpert 5* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
JMeixner
Userlevel 7
Badge +17

Very interesting, the threats are getting more and more diverse…

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2023 | Veeam Certified Architect (VMCA) 2022 | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
HunterLAFR
Userlevel 7
Badge +8

Reading this info, came to my mind my first experience with an encrypted datastore, It was vsphere 5.5, impossible to update due to software requirements and support, it was so scary seeing the entire datastore encrypted, and nothing to do, just delete / format everything, and recovery from Veeam B&R; 

Until that day, the initial thought was always, if it is in a datastore, is safe, now a days, is not.

Thanks for sharing.

Cheers.

Luis F.- HunterLF - HunterLAFR - lfconsulting.org
I
Userlevel 7
Badge +4

Thanks for sharing the info !

Inder | www.thenetworkdna.com | Twitter @inder8588
Nico Losschaert
Userlevel 7
Badge +11

Thx for sharing @regnor ! I agree, some simple things being manually set, can make the difference.

#Veeam Legend 5* | VMCA 2* | VMCE 3* | VMTSP+ 2* | VMSP 2* | DCIE 2* | Loves Best Practices | Twitter : @NLosschaert
O
Userlevel 2
Badge

Thanks for sharing 👏🏻 All these steps that you mentioned about securing access must be done.

Comment


Terms & Conditions