A new strain of Python-based malware was used in a campaign to achieve encryption on a corporate system in less than three hours. The attack, one of the fastest recorded by Sophos researchers, was carried out by hackers who targeted the ESXi platform to encrypt the victim’s virtual machines.
On Tuesday, Sophos stated that the malware, written in Python, was deployed ten minutes after the threat actors managed to break into a TeamViewer account owned by the victim organization.
TeamViewer is a control and access platform that can be used by both private individuals and companies to remotely manage and control PCs and mobile devices.
Since the software was installed on a computer that was used by a person who also had the access data of a domain administrator, it took only ten minutes – from 12.30 p.m. to 12.40 p.m. on a Sunday – for the attackers to find a vulnerable ESXi Found a server that was suitable for the next phase of the attack.
VMware ESXi is an enterprise bare metal hypervisor used by vSphere, a system that can manage both containers and virtual machines (VMs).
According to the researchers, the ESXi server was likely vulnerable to attack because of an active shell, which led to the installation of Bitvise, an SSH software that is – at least legitimately – used to manage Windows servers.
In this case, the attackers used Bitvise to access ESXi and the virtual disk files used by active VMs.
“ESXi servers have a built-in SSH service called ESXi Shell that administrators can enable but is usually disabled by default,” says Sophos. “The IT staff at this company were used to using the ESXi Shell to manage the server and had activated and deactivated the shell several times in the months prior to the attack. The last time they activated the shell, however, they neglected to deactivate it afterwards. “
After three hours, the cyber attackers were able to install their Python ransomware and encrypt the virtual hard drives. The script used to hijack the company’s VM facility was only 6 KB in length but included variables including various sets of encryption keys, email addresses, and options to customize the suffix used in a ransomware-based attack Encryption of files is used.
The malware created a map of the drive, inventoried the VM names, and then powered off each virtual machine. Once they were all turned off, full database encryption began. OpenSSL was then used as a weapon to quickly encrypt them all by sending a command to a log of the names of each VM on the hypervisor.
Once the encryption was complete, the recon files were overwritten with the word f * ck and then deleted. Ransomware groups like DarkSide – responsible for the Colonial Pipeline attack – and REvil are known to use this technique. Sophos says the sheer speed of this case should remind IT administrators that security standards must be met on both VM platforms and standard corporate networks.
“Python is a programming language that is not typically used for ransomware,” said Andrew Brandt, Principal Researcher at Sophos. “However, Python is preinstalled on Linux-based systems such as ESXi, so that Python-based attacks on these systems are possible. ESXi servers are attractive targets for ransomware attackers because they can attack multiple virtual machines at the same time, on which business-critical applications or services can run.