Section | Details |
---|---|
Threat Actors | Ransomware groups using variants of Babuk ransomware |
Campaign Overview | Ransomware targeting VMware ESXi servers, leveraging vulnerabilities in vCenter and hybrid encryption methods to lock critical files and demand high ransoms. |
Target Regions (Victims) | Organizations using VMware ESXi servers exposed to the internet |
Methodology | • Attackers gain control via vCenter using the “vpxuser” account with root permissions. • Targeting VMDK, VMEM, VSWP, and VMSN files for encryption to disrupt operations. • Hybrid encryption using AES/Chacha20 for data encryption and RSA for securing symmetric keys. |
Product Targeted | VMware ESXi servers, vCenter |
Malware Reference | Babuk ransomware (adapted for ESXi) |
Tools Used | AES, Chacha20 (symmetric encryption), RSA (asymmetric encryption) |
Vulnerabilities Exploited | vCenter and ESXi server vulnerabilities |
TTPs | • Phishing and selling Initial Access to other ransomware groups. • Targeting key files (VMDK, VMEM, VSWP, VMSN) for encryption. • Hybrid encryption approach for fast and secure data encryption. |
Attribution | Ransomware groups using Babuk ransomware |
Recommendations | • Regular VCSA updates and use of the latest version. • Implement Multi-Factor Authentication (MFA) and remove default users. • Use detection tools like EDRs, XDRs, and monitoring policies. • Network segmentation to reduce lateral movement. |
Source | The Hackers News |
Read full article: https://thehackernews.com/2025/01/ransomware-on-esxi-mechanization-of.html
The above summary has been generated by an AI language model
Leave a Reply