Photo by Afif Ramdhasuma on Unsplash

Photo by Afif Ramdhasuma on Unsplash

ESXi ransomware attacks

New Targets

Article from ADMIN 73/2023
Files encrypted by ransomware have been the nightmare scenario of IT departments, and even specialized operating systems like the ESXi server are not immune. We look at how to mitigate risk and prepare for recovery if hypervisor protection fails.

Today, it hardly matters which operating systems are used on servers; the malware developers working in the background cover all the popular systems. Even specialist operating systems such as the VMware ESXi hypervisor have repeatedly been targeted by criminals. This article sheds light on the damage potential, pointing out ways to mitigate risk and actions to help prepare for an incident.

In many cases, you will hear about the benefits of virtualization, the added security that isolating individual machines can provide, and how easy it is to revert to previous versions at any time with snapshots. Modern ransomware and the behavior of the groups behind it have adapted to this kind of reasoning and the technology behind it. Today, malware is installed well ahead of the attack. The overhead required to analyze attacked infrastructures gives the attackers a clear advantage: They already know all the systems; the deployed software, including the security suites and backup applications; the login data; and areas of responsibility of the employees and their vacation planning.

Attacks on Hypervisors

Attempting to fight this professionalization on the part of the criminals are IT departments in small to large enterprises. Besides handling security, they are primarily responsible for the continuous operation of the infrastructure. In addition to the operating systems of the virtual machines (VMs), the hypervisors on which the VMs run have long been the focus of attackers. Most recently, ransomware named Cheerscrypt [1] grabbed the limelight about the middle of last year. It is based on the Linux variant of the Babuk malware and attacks VMware ESXi servers through known vulnerabilities and successively encrypts the files used by VMware.

In this case, the attack usually occurs by way of the hypervisor guests and a vulnerability in the

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.