Security News > 2021 > October > Ransomware gang encrypts VMware ESXi servers with Python script
Operators of an unknown ransomware gang are using a Python script to encrypt virtual machines hosted on VMware ESXi servers.
While the Python programming language is not commonly used in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default.
As Sophos researchers recently discovered while investigating a ransomware incident, a Python ransomware script was used to encrypt a victim's virtual machines running on a vulnerable ESXi hypervisor within three hours of the initial breach.
"A recently-concluded investigation into a ransomware attack revealed that the attackers executed a custom Python script on the target's virtual machine hypervisor to encrypt all the virtual disks, taking the organization's VMs offline," SophosLabs Principal Researcher Andrew Brandt said.
The ransomware operators then executed a 6kb Python script to encrypt all virtual machines' virtual disk and VM settings files.
To make things even worse, with VMware ESXi being one of the most if not the most popular enterprise virtual machine platforms, almost every enterprise-targeting ransomware gang has started developing their encryptors designed to specifically target ESXi virtual machines.
News URL
Related news
- VMware Releases vCenter Server Update to Fix Critical RCE Vulnerability (source)
- VMware fixes critical vCenter Server RCE bug – again! (CVE-2024-38812) (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Week in review: Fortinet patches critical FortiManager 0-day, VMware fixes vCenter Server RCE (source)
- Ransomware hits web hosting servers via vulnerable CyberPanel instances (source)
- Meet Interlock — The new ransomware targeting FreeBSD servers (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems (source)