October 8, 2021
In a recent discovery by Sophos security researchers, operators of an unidentified ransomware gang are currently using a Python script to encrypt virtual machines on vulnerable VMware ESXi servers.
According to SophosLabs Principal Researcher Andrew Brandt, “In what was one of the quickest attacks Sophos has investigated, from the time of the initial compromise until the deployment of the ransomware script, the attackers only spent just over three hours on the target’s network before encrypting the virtual disks in a VMware ESXi server.”
To achieve their goal, the attackers infiltrated the victim’s network by logging into a TeamViewer account that had a domain admin logged in to it. Afterwards, they used the Advanced IP Scanner to search for additional targets and simultaneously login to an ESXi server via the built-in SSH ESXi shell service.
They then executed a 6kb Python script (which allows attackers to use multiple encryption keys and email addresses and customize the file suffix for the encrypted files) to encrypt the virtual disk and VM settings files of all virtual machines.
For more information, read the original story in Bleeping Computer.
