Cybersecurity firm Sygnia has shed light on a concerning trend where ransomware attacks targeting VMware ESXi infrastructure follow a well-established pattern, regardless of the specific file-encrypting malware deployed. According to the Israeli company’s incident response efforts involving various ransomware families, these attacks adhere to a similar sequence of actions.
The Attack Sequence
- Initial access is obtained through phishing attacks, malicious file downloads, or exploitation of known vulnerabilities in internet-facing assets.
- Attackers escalate their privileges to obtain credentials for ESXi hosts or vCenter using brute-force attacks or other methods.
- Access to the virtualization infrastructure is validated, and the ransomware is deployed.
- Backup systems are deleted, encrypted, or passwords are changed to complicate recovery efforts.
- Data is exfiltrated to external locations such as Mega.io, Dropbox, or attacker-controlled hosting services.
- The ransomware initiates execution and encrypts the “/vmfs/volumes” folder of the ESXi filesystem.
- The ransomware propagates to non-virtualized servers and workstations, widening the scope of the attack.
Mitigation Strategies
To mitigate the risks posed by such threats, organizations are advised to implement the following measures:
- Ensure adequate monitoring and logging are in place
- Create robust backup mechanisms
- Enforce strong authentication measures
- Harden the environment
- Implement network restrictions to prevent lateral movement
Malvertising Campaign Distributing Trojanized Installers
In a related development, cybersecurity company Rapid7 has warned of an ongoing campaign since early March 2024 that employs malicious ads on commonly used search engines to distribute infected installers for WinSCP and PuTTY via typosquatted domains. These counterfeit installers act as a conduit to drop the Sliver post-exploitation toolkit, which is then used to deliver more payloads, including a Cobalt Strike Beacon leveraged for ransomware deployment.
This activity shares tactical overlaps with prior BlackCat ransomware attacks that have used malvertising as an initial access vector, disproportionately affecting members of IT teams who are most likely to download the infected files.
New Ransomware Families and Global Trends
The cybersecurity landscape has witnessed the emergence of new ransomware families like Beast, MorLock, Synapse, and Trinity. The MorLock group has extensively targeted Russian companies, encrypting files without first exfiltrating them and demanding substantial ransoms.
According to NCC Group’s data, global ransomware attacks in April 2024 registered a 15% decline from the previous month, with LockBit’s reign as the top threat actor ending in the aftermath of a sweeping law enforcement takedown earlier this year.
The turbulence in the ransomware scene has been complemented by cyber criminals advertising hidden Virtual Network Computing (hVNC) and remote access services like Pandora and TMChecker, which could be utilized for data exfiltration, deploying additional malware, and facilitating ransomware attacks.