Two strains of ransomware have recently been updated to target VMware’s ESXi hypervisor and encrypt virtual machine files, says security vendor CrowdStrike.
Neither attack has found a way into ESXi itself, which is welcome news as a successful attack on the type-one hypervisor would mean hosts could be compromised. Instead, both rely on finding credentials to the vCenter Servers used to manage ESXi and the virtual machines it tends. Don’t relax just yet, vAdmins, unless you’ve patched the critical-rated flaw revealed last week that allows remote code execution on a vCenter server.
CrowdStrike says the two ransomware strains it’s observed attacking ESXi are named CARBON SPIDER and SPRITE SPIDER.
Neither are brand new players. SPRITE SPIDER has been observed since at least July 2020 and is fond of ransomware named “Defray777”.
When whoever drives SPRITE SPIDER gets their hands on vCenter creds – a feat it accomplishes by lifting them from browsers or host memory – CrowdStrike says it “typically writes the Linux version of Defray777 to /tmp/, using a filename attempting to masquerade as a legitimate tool (e.g., svc-new).”
VMware reveals critical hypervisor bugs found at Chinese white hat hacking comp. One lets guests run code on hosts
Once that tool is running, SPRITE SPIDER “enumerates system information and processes on the ESXi host using the uname, df, and esxcli vm process list commands.” With that job done, it terminates running VMs and encrypts them.
The gang also knows enough about VMware and ESXi that it tries to uninstall VMware Fault Domain Manager, a tool that automatically reboots failed VMs.
CARBON SPIDER has been doing the rounds since 2016 and used to target point-of-sale devices, but in August 2020 developed its own ransomware named “Darkside” and even created a version tailored to attack ESXI hosts. That VMware-centric version targets some of the file formats used by ESXI and encrypts them.
“Files are encrypted using the ChaCha20 algorithm with a 32-byte key and 8-byte nonce, uniquely generated per file,” say CrowdStrike’s analysts. “The ChaCha20 key and nonce are then encrypted using a 4096-bit RSA public key that is embedded in the ransomware.”
CrowdStrike researchers Eric Loui and Sergei Frank opine that attacking ESXi gives ransomware scum a bigger potential payoff because they stand a chance of encrypting all the virtual machines the hypervisor tends.
“If these ransomware attacks on ESXi servers continue to be successful, it is likely that more adversaries will begin to target virtualization infrastructure in the medium term,” the two CrowdStrike researchers write.
And with VMware now going all-in on hybrid clouds, a single vCenter logon could even reach into the public cloud. ®