Cybersecurity specialists have reported facts about a prompt new ransomware campaign attacking virtual machines (VM) hosted on a VMware ESXi hypervisor.
Relating it as a sniper-like procedure, Sophos investigators entitlement that it took the attackers less than three hours from penetrating the target to encrypting it.
Andrew Brandt, principal researcher at Sophos said that “This is one of the wildest and fastest ransomware attacks Sophos has ever scrutinised and it seemed to precision-target the ESXi platform,”
The investigators note that while malware that runs under a Linux-like operating system, such as the one ESXi uses, is still comparatively infrequent, hypervisors are a striking target since the VMs they host usually run business-critical services.
What’s the call of investigators on this new Python ransomware?
Sophos investigators add that even infamous ransomware operators such as DarkSide and REvil have targeted ESXi servers.
However, two characteristics of this specific attack that stand out are the quickness revealed by the attackers, and the use of the Python ransomware.
The invaders logged into the network after conceding a TeamViewer account that was running in the background on a system that belonged to a user with Domain Administrator credentials.
Ten minutes after logging in the attackers downloaded an IP scanner to track the network. Soon after recognizing the ESXi server, the attackers revealed that the target’s staff had mistakenly elapsed to deactivate the built-in SSH service in ESXi.
It didn’t take them long to log into the hypervisor to array the Python ransomware.
According to the researchers, who succeeded to fight the ransomware for analysis after putting in some severe effort that the-
“Python is a coding language not commonly used for ransomware. However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems,”
In their study, the investigators undo the 6kb ransomware which was pretty harmful, and offered numerous customizable choices to the attackers, in order to assist admins, protect their environments from a related ransomware attack.