Alert – Ransomware Actors Targeting VMWare ESXi

Matteo Rossit
Photo of a person sitting on top of a laptop, with an open lock icon next to them. The text on top says "alert"

Attention HIROC Subscribers:

This alert is intended to raise awareness around increasing threat level activities targeting VMWare ESXi servers.

Please share this Alert with your Information Technology (IT) team, Information Security Management team, Chief Information Officer, and Chief Technology Officer, Risk Management Leader and as appropriate with your users, to raise awareness about this IT incident and to address potential risks promptly.


What is VMWare ESXi?

VMWare ESXi is a proprietary Type 1 (Bare-Metal) Hypervisor that is used to partition servers and allow for virtualization of multiple systems on a single host server.

Threat actors have been observed to be targeting VMWare ESXi servers with different novel strains of malware. An increase in capabilities of malware that potentially could compromise VMWare ESXi is being reported in the cybersecurity community. These malware strains are meant to exfiltrate and encrypt data with the intention of extorting victims.

Why VMWare ESXi?

Likely, VMWare ESXi is being targeted because of its role as a hypervisor. This makes it a natural crossroad between many enterprise resources, such as virtualized servers and workstations, any data processed by these servers, and access to storage and backups of this data for the virtualized infrastructure.

Additionally, some of the newly identified ransomware strains reportedly query the intended victim’s operating systems before execution, showing an ability to change and run in different operating system specific modes.

This cross-OS functionality increases the potential to infect and encrypt larger sections of the intended victim’s infrastructure, beyond the original point of infection.

This in effect, creates a pathway between ESXi and Windows operating systems, where either environment can spread the ransomware to the other, drastically broadening its reach and potential damage.

It is also reported, at least one threat actor’s malware strain was also novel enough to remain undetected when scanned by VirusTotal. This may mean a temporary diminishment in an antimalware solution’s ability to detect and stop it.

Recommendations

Industry leaders and government sources recommend that risk mitigation strategies and controls should focus on increased defenses and strengthened Identity and Access Management (IAM) processes, with the added risk mitigation of ensuring strong redundancy and backup measures are in place.

HIROC Subscribers should consider the following high-impact recommendations, as highlighted by industry and government sources:

  1. Ensure Multi-Factor Authentication is used on all VMWare administrative consoles and underlying hypervisors. 
  2. Set up monitoring and logging functionality for systems and networks, and ensure security teams receive automated alerts if any anomalies are detected.
  3. Segment networks to ensure sensitive and high-value information is in different zones of your network.
  4. Keep VMWare ESXi software up to date. 
  5. Ensure business-critical services have redundancies.
    1. If any one of these host servers goes down, are you able to keep services going?
    2. Is there a single point of failure identified in the delivery of business-critical services?
  6. Consider if regular, offline backups are ready to replace affected systems

We encourage all of our Subscribers to notify their security teams or Managed Service Partners, and read the Canadian Centre for Cyber Security’s Ransomware playbook (ITSM.00.099) for more specific recommendations.  

Have questions? Contact us at [email protected].

Additional Resources