Press ESC to close

Ransomware on ESXi: The mechanization of virtualized attacks

Section Details
Threat Actors Ransomware groups using variants of Babuk ransomware
Campaign Overview Ransomware targeting VMware ESXi servers, leveraging vulnerabilities in vCenter and hybrid encryption methods to lock critical files and demand high ransoms.
Target Regions (Victims) Organizations using VMware ESXi servers exposed to the internet
Methodology • Attackers gain control via vCenter using the “vpxuser” account with root permissions.
• Targeting VMDK, VMEM, VSWP, and VMSN files for encryption to disrupt operations.
• Hybrid encryption using AES/Chacha20 for data encryption and RSA for securing symmetric keys.
Product Targeted VMware ESXi servers, vCenter
Malware Reference Babuk ransomware (adapted for ESXi)
Tools Used AES, Chacha20 (symmetric encryption), RSA (asymmetric encryption)
Vulnerabilities Exploited vCenter and ESXi server vulnerabilities
TTPs • Phishing and selling Initial Access to other ransomware groups.
• Targeting key files (VMDK, VMEM, VSWP, VMSN) for encryption.
• Hybrid encryption approach for fast and secure data encryption.
Attribution Ransomware groups using Babuk ransomware
Recommendations • Regular VCSA updates and use of the latest version.
• Implement Multi-Factor Authentication (MFA) and remove default users.
• Use detection tools like EDRs, XDRs, and monitoring policies.
• Network segmentation to reduce lateral movement.
Source The Hackers News

Read full article: https://thehackernews.com/2025/01/ransomware-on-esxi-mechanization-of.html

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

  

Source: TheHackersNews

Published on: January 16, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *