A previously unseen ransomware campaign is using a custom Python script to encrypt all the virtual disks in VMware ESXi servers -- already taking at least one organisation's VMs out of action, according to Sophos.
Describing what the security firm said was "one of the quickest attacks Sophos has investigated, from the time of the initial compromise until the deployment of the ransomware script" the attackers (who can often spend months on internal reconnaissance) moved from initial breach to encrypting virtual disks in just three hours.
A textbook case of attackers only needing to be lucky once the attack escalated rapidly, taking advantage of a number of basic errors (a TeamViewer account without MFA on a computer with Domain Admin credentials) and an interactive command line environment for remote VM management left running.
"The attackers initially accessed their foothold by logging in to a TeamViewer account (one which didn’t have multi-factor authentication set up), running in the background on a computer that belongs to a user with Domain Administrator credentials in the target’s network," Sophos's Andrew Brandt noted. "The attackers logged on at 30 minutes past midnight in the target organization’s time zone, and ten minutes later downloaded and ran a tool called Advanced IP Scanner to identify targets on the network.
"Just before 2 am, the attackers downloaded an SSH client called Bitvise, and used it to log into a VMware ESXi server they identified using Advanced IP Scanner. ESXi servers have a built-in SSH service called the ESXi Shell that administrators can enable, but is normally disabled by default.
"This organization’s IT staff was accustomed to using the ESXi Shell to manage the server, and had enabled and disabled the shell multiple times in the month prior to the attack. However, the last time they enabled the shell, they failed to disable it afterwards. The criminals took advantage of this fortuitous situation when they found the shell was active."
Using a little 6kb Python scrpt that let the attackers configure it with multiple encryption keys, they used it to 'walks' the filesystem of a datastore, create a directory map of the drive, and create an inventory of the names of every virtual machine on the hypervisor, writing them to a file called vms.txt: "It then executes the ESXi Shell command vim-cmd vmsvc/power.off, one time for each VM, passing the VM names to the command as a variable, one at a time. Only when the VMs have powered off will the script begin encrypting the datastore volumes" Sophos explained.