New Python-Based Ransomware Quickly Encrypts Virtual Machines
Sophos cybersecurity researchers discovered a Python-based ransomware operation that went from a compromised corporate network to encrypted virtual machines in just three hours.
VMware ESXi datastores rarely have endpoint protection, the researchers noted, and they host virtual machines (VMs) that likely run business-critical services, making them a very attractive target for businesses. pirates. In the threat landscape, it’s like hitting the jackpot.
In this case, the attackers used unusual techniques to lock down the data and prevent recovery.
Why hackers used Python
Python is a powerful programming language that can easily interact with the operating system with just a few lines of code, and ESXi servers are Linux-based systems that often have Python preinstalled.
Python is quite handy for calling commands from other programs using the OS module. In this case, the hackers downloaded a lightweight Python script called fcker.py containing ESXi Shell commands such as vim-cmd vmsvc / getallvms and vim-cmd vmsvc / power.off.
These instructions allow you to list all the VMs and stop them, necessary to start the encryption. Then the script encrypts the files in the / tmp directory with a single line of code calling an openssl command. After that, the script overwrites the original files with some big four letter word and covers its traces by deleting itself and the generated files including the vms.txt file that lists all VM names. Finally, the encrypted files are removed from the / tmp directory to the location of the database.
The final touch is that the script contains configurable parameters such as email addresses for payments, file suffix for encrypted files and encryption keys, which makes the code reusable using functions and variables.
How attackers obtained unauthorized access
In order to run this script, hackers first had to compromise the network. They targeted a TeamViewer account that did not have multi-factor authentication enabled and were running in the background on an administrator’s computer.
They downloaded tools to scan the network and open the SSH connection. Unfortunately, the administrator had his password manager always open in a browser tab. The attackers found the root credentials and used them to open an SSH tunnel to the ESXi servers.
The attack was successful because the victims had insecure routines such as managing ESXi servers with ESXi Shell (SSH service) and in this case failed or forgot to turn it off afterwards.
This is a striking example of the importance of the human factor in IT security. There may be good security settings and configurations, but people can choose not to use them.
The hackers had probably compromised the network well in advance, watching for any vulnerabilities. They exploited several fortuitous situations to gain access to the files they were targeting.
Faster encryption means higher risk
Modern ransomware uses new encryption techniques to speed up encryption, combining symmetric (AES key) and asymmetric (hard-coded keys) encryptions to lock down data without an internet connection and prevent victims from reversing the operation.
With the rise of ransomware protection tools, threat actors must innovate with new models to deploy malware and encrypt files much faster, putting security measures to the test.
It’s a big paradigm shift, and speed makes it worse. If you don’t have the security routines and detection tools to spot malicious scripts that aren’t supposed to exist in those areas (or anywhere else on the network), you’re pretty much doomed.
Attackers tend to be more and more innovative in order to remain as undetected as possible. They use a new asymmetric key pair in addition to symmetric cryptography for each targeted node in the network.
According to Sophos researchers, hackers couldn’t predict the newly generated keys, so the idea is to encrypt each secret key with one of the hard-coded public keys.
There is no information on the name of the threat actor behind this operation. Forensic experts managed to retrieve a copy of the script, but this was not supposed to happen as the code contains an instruction to delete itself after use.
Education is the key to better security
Obviously, the targeted organization had security holes. Hackers took advantage of several bad practices, especially when using software such as Teamviewer, which allows remote control of the computer. Likewise, SSH root access poses security concerns.
Penetration testing and best practices can prevent these flaws. In addition, detection tools can spot such .py files, for example, by regularly scanning directories.
Bad habits can change, of course. Organizations that hold sensitive data should make sure their teams are security aware, especially employees with administrator privileges. There is no point in blaming someone in particular. You would be surprised how many companies overlook this aspect for lack of budget or time, or simply for convenience.
Even though threat actors have been successful in defeating multi-factor authentication under specific conditions, it remains a huge pain for hackers, and users with high privileges still need to enable it. While working without root access and an SSH shell can be more difficult, it is a valid security measure.
Such blitz attacks can be devastating, and there is no way to completely stop ransomware attacks, but there are several steps you can take to mitigate them:
- Have multiple layers of defense
- Isolate the most sensitive areas from the rest of the network
- Secure user accounts with privileges to avoid dangerous escalations
Further reading on ransomware protection and recovery: