Security News > 2021 > October > VMware ESXi Servers Encrypted by Lightning-Fast Python Script
Researchers have discovered a new Python ransomware from an unnamed gang that's striking ESXi servers and virtual machines with what they called "Sniper-like" speed.
While the choice of Python for the ransomware is fairly distinctive, going after ESXi servers is anything but.
According to Sophos' report, ESXi servers have a built-in SSH service called the ESXi Shell that administrators can enable, but which is typically disabled by default.
The Python script uses the vim-cmd command functions of the ESXi Shell to produce a list of the names of all VMs installed on the server, then shuts them all down, he said.
The Python script slithers through, picking off VMs one after another, Brandt recounted: "One by one, the attackers executed the Python script, passing the path to datastore disk volumes as an argument to the script. Each individual volume contained the virtual disk and VM settings files for multiple virtual machines."
Specifically, the Python script embeds, as variables, the file suffix it appends to encrypted files, and email addresses to be used to contact the attacker for payment of the ransom.
News URL
https://threatpost.com/vmware-esxi-encrypted-python-script-ransomware/175374/