On Tuesday the 5th of October 2021, Sophos said the malware, a new variant written in Python, was deployed ten minutes after threat actors managed to break into a TeamViewer account belonging to the victim organisation.
How did the ransomware got spread?
TeamViewer is a control and access platform that can be used by the general public and businesses alike to manage and control PCs and mobile devices remotely.
As the software was installed on a machine used by an individual who also owned domain administrator access credentials, it took only ten minutes – from 12.30 am to 12.40 am on a Sunday – for attackers to find a vulnerable ESXi server suitable for the next stage of the assault.
VMware ESXi is an enterprise-grade, bare-metal hypervisor used by vSphere, a system designed to manage both containers and virtual machines (VMs).
The researchers say the ESXi server was likely vulnerable to exploit due to an active shell, and this led to the installation of Bitvise, SSH software used – at least, legitimately – for Windows server administration tasks.
In this case, the threat actors utilised Bitvise to tap into ESXi and the virtual disk files used by active VMs.
“ESXi servers have a built-in SSH service called the ESXi Shell that administrators can enable, but is normally disabled by default,” Sophos says. “This organization’s IT staff was accustomed to using the ESXi Shell to manage the server, and had enabled and disabled the shell multiple times in the month prior to the attack. However, the last time they enabled the shell, they failed to disable it afterwards.”
Three hours in, and the cyberattackers were able to deploy their Python ransomware and encrypt the virtual hard drives.
The script used to hijack the company’s VM setup was only 6kb in length but contained variables including different sets of encryption keys, email addresses, and options for customising the suffix used to encrypt files in a ransomware-based attack.
How did the ransomware impact the machines?
The malware created a map of the drive, inventoried the VM names, and then powered each virtual machine off. Once they were all disabled, full database encryption began. OpenSSL was then weaponised to encrypt them all quickly by issuing a command to a log of each VM’s name on the hypervisor.
Once encryption is complete, the reconnaissance files were overwritten with the word f*ck and were then deleted.
Big game ransomware groups including DarkSide – responsible for the Colonial Pipeline attack – and REvil are known to use this technique. Sophos says the sheer speed of this case, however, should remind IT administrators that security standards need to be maintained on VM platforms as well as standard corporate networks.
Why was Python used for this cyber attack?
“Python is a coding language not commonly used for ransomware,” commented Andrew Brandt, principal researcher at Sophos. “However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems. ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at once, where each of the virtual machines could be running business-critical applications or services.”
Contact us today to find out more about how you can protect your infrastructure against the latest Ransomware attacks.
Call us on 02 9387 3888 or fill the Contact Form.