Security News > 2021 > October > Ransomware gang encrypts VMware ESXi servers with Python script
Operators of an unknown ransomware gang are using a Python script to encrypt virtual machines hosted on VMware ESXi servers.
While the Python programming language is not commonly used in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default.
As Sophos researchers recently discovered while investigating a ransomware incident, a Python ransomware script was used to encrypt a victim's virtual machines running on a vulnerable ESXi hypervisor within three hours of the initial breach.
"A recently-concluded investigation into a ransomware attack revealed that the attackers executed a custom Python script on the target's virtual machine hypervisor to encrypt all the virtual disks, taking the organization's VMs offline," SophosLabs Principal Researcher Andrew Brandt said.
The ransomware operators then executed a 6kb Python script to encrypt all virtual machines' virtual disk and VM settings files.
To make things even worse, with VMware ESXi being one of the most if not the most popular enterprise virtual machine platforms, almost every enterprise-targeting ransomware gang has started developing their encryptors designed to specifically target ESXi virtual machines.
News URL
Related news
- Chilean hosting firm's VMware ESXi servers hit by new SEXi ransomware (source)
- Hosting firm's VMware ESXi servers hit by new SEXi ransomware (source)
- LockBit ransomware returns, restores servers after police disruption (source)
- LockBit ransomware returns to attacks with new encryptors, servers (source)
- BlackCat ransomware turns off servers amid claim they stole $22 million ransom (source)
- VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws (source)
- VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion (source)
- VMware patches critical flaws in ESXi, Workstation, Fusion and Cloud Foundation (source)