Sophos cybersecurity researchers have discovered a Python-based ransomware operation that escalated from a compromised corporate network to encrypted virtual machines in just three hours.
VMware ESXi datastores rarely have endpoint protection, the researchers noted, and they host virtual machines (VMs) that likely run critical services for the business, making them a very attractive target for hackers. In the threat landscape, it’s like winning the jackpot.
In this case, the attackers employed unusual techniques to lock data and prevent any recovery.
Why the Hackers Used Python
Python is a powerful programming language that can easily interact with the operating system with just a few lines of code, and ESXi servers are Linux-based systems that often have Python pre-installed.
Python is pretty convenient for invoking commands from other programs using the OS module. In this case, the hackers uploaded a light Python script called fcker.py containing ESXi Shell commands such as vim-cmd vmsvc/getallvms and vim-cmd vmsvc/power.off.
These instructions are used to list all VMs and shut them down, necessary for starting the encryption. Then the script encrypts files in the /tmp directory with a single line of code invoking an openssl command. After that, the script overwrites original files with a certain four-letter curse word and covers its tracks by removing itself and generated files, including the vms.txt file that lists all VM names. Lastly, encrypted files are moved back from the /tmp directory to the datastore location.
The finishing touch is that the script contains configurable parameters such as email addresses for payments, file suffix for encrypted files, and encryption keys, making the code reusable using functions and variables.
How the Attackers Gained Unauthorized Access
To be able to run that script, the hackers had to compromise the network first. They targeted a TeamViewer account that didn’t have multi-factor authentication enabled and ran in the background of an administrator’s computer.
They downloaded tools to scan the network and open the SSH connection. Unluckily, the administrator had his password manager still open in a browser tab. The attackers found root credentials and used them to open an SSH tunnel to the ESXi servers.
The attack succeeded because the victims had insecure routines such as managing ESXi servers with the ESXi Shell (SSH service) and, in this case, failed or forgot to disable it afterward.
It’s a striking example of the importance of the human factor in IT security. There may be good security settings and configurations, but people can choose not to use them.
The hackers had probably compromised the network well beforehand, watching for any vulnerability to strike. They exploited several fortuitous situations to access the files they targeted.
Faster Encryption Means Higher Risk
Modern ransomware uses new encryption techniques to speed up encryption, combining symmetric (AES key) and asymmetric ciphers (hardcoded keys) to lock data without an internet connection and prevent the victims from reversing the operation.
With the rise of ransomware protection tools, threat actors have to innovate with new models to deploy malware and encrypt files significantly faster, putting security measures to the test.
It is a significant shift in the paradigm, and speed aggravates the situation. If you don’t have security routines and detection tools to spot malicious scripts that are not supposed to exist in those areas (or anywhere else in the network), you’re pretty much doomed.
Attackers tend to be ever more innovative to remain undetected as much as possible. They use a new asymmetric key pair on top of symmetric cryptography for each targeted node in the network.
According to Sophos researchers, the hackers couldn’t predict the newly generated keys, so the idea is to encrypt each secret key with one of the hardcoded public keys.
There’s no information about the name of the threat actor behind this operation. Forensic experts managed to recover a copy of the script, but that was not supposed to happen, as there’s an instruction in the code to remove itself after usage.
Education is Key to Better Security
Obviously, the targeted organization had security breaches. The hackers took advantage of several bad practices, especially when using software such as Teamviewer, which allows for remote computer control. Likewise, SSH root access raises security issues.
Penetration tests and good practices can prevent those flaws. Besides, detection tools can spot such .py files, for example, by scanning directories regularly.
Bad habits can change, of course. Organizations that hold sensitive data should ensure that their teams are security-aware, especially employees with admin privileges. It’s no use blaming someone in particular. You’d be surprised how many companies neglect this aspect because of lack of budgets or time, or just for convenience.
Even if threat actors have managed to defeat multi-factor authentication in specific conditions, it’s still a massive pain for hackers, and users with high privileges should always enable it. While working without root access and SSH shell can be harder, it’s a valid security measure.
Such blitz attacks can be devastating, and there’s no way to stop ransomware attacks entirely, but you can take several measures to mitigate them:
- Have several layers of defense
- Isolate the most sensitive areas from the rest of the network
- Secure user accounts with privileges to prevent dangerous escalations
Further reading on ransomware protection and recovery: