Researchers uncovered a new Python ransomware from an unnamed gang that attacks ESXi servers and virtual machines (VMs) with "sniper-like" speed. Sophos stated on Tuesday that the ransomware is being used to infiltrate and encrypt virtual machines housed on an ESXi hypervisor in operations that take less than three hours from start to finish.
In a press release accompanying his in-depth report, Andrew Brandt, principal researcher at Sophos, said, “This is one of the fastest ransomware attacks Sophos has ever investigated, and it appeared to precision-target the ESXi platform.”
The Python coding language is rarely used for ransomware, according to Brandt. But, he continued, its use makes sense because Python comes pre-installed on Linux-based systems like ESXi, allowing Python-based attacks on these systems.
The assault used a custom Python script that, when run on the target organization's virtual machine hypervisor, put all virtual machines offline. According to Sophos' security analysts, the attackers were swift to deploy the ransomware, the encryption process began about three hours after the initial intrusion.
The attackers gained initial access using a TeamViewer account that did not have multi-factor authentication enabled and was running in the background on a computer owned by a user with Domain Administrator credentials. According to Sophos, the attackers logged in 30 minutes after midnight in the organization's time zone, then downloaded and used a tool to discover targets on the network, which led them to a VMware ESXi server.
At roughly 2 a.m., the attackers used the built-in SSH service ESXi Shell to get into the server, which can be enabled on ESXi servers for administration purposes. The attackers logged into the ESXi Shell three hours after the network was first scanned, copied the Python script, and then ran it for each datastore disc volume, encrypting the virtual disc and settings files for virtual machines.
“The script contains variables that the attacker can configure with multiple encryption keys, email addresses, and where they can customize the file suffix that gets appended to encrypted files,” Brandt wrote.
Sophos investigators discovered several, hardcoded encryption keys as well as a method for creating even more encryption key pairs when traversing through the code. Normally, an attacker would just need to insert the attacker's own 'public key,' which would be used to encrypt files on the targeted computer(s), according to Brandt. However, it appears that each time this ransomware is launched, it generates a new key.