| Section | Details |
|---|---|
| Threat Actors | Ransomware groups using variants of Babuk ransomware |
| Campaign Overview | Ransomware targeting VMware ESXi servers, leveraging vulnerabilities in vCenter and hybrid encryption methods to lock critical files and demand high ransoms. |
| Target Regions (Victims) | Organizations using VMware ESXi servers exposed to the internet |
| Methodology | • Attackers gain control via vCenter using the “vpxuser” account with root permissions. • Targeting VMDK, VMEM, VSWP, and VMSN files for encryption to disrupt operations. • Hybrid encryption using AES/Chacha20 for data encryption and RSA for securing symmetric keys. |
| Product Targeted | VMware ESXi servers, vCenter |
| Malware Reference | Babuk ransomware (adapted for ESXi) |
| Tools Used | AES, Chacha20 (symmetric encryption), RSA (asymmetric encryption) |
| Vulnerabilities Exploited | vCenter and ESXi server vulnerabilities |
| TTPs | • Phishing and selling Initial Access to other ransomware groups. • Targeting key files (VMDK, VMEM, VSWP, VMSN) for encryption. • Hybrid encryption approach for fast and secure data encryption. |
| Attribution | Ransomware groups using Babuk ransomware |
| Recommendations | • Regular VCSA updates and use of the latest version. • Implement Multi-Factor Authentication (MFA) and remove default users. • Use detection tools like EDRs, XDRs, and monitoring policies. • Network segmentation to reduce lateral movement. |
| Source | The Hackers News |
Read full article: https://thehackernews.com/2025/01/ransomware-on-esxi-mechanization-of.html
The above summary has been generated by an AI language model
Leave a Reply