How can we help?
Researchers at Sophos have documented a ransomware attack targeting an ESXi hypervisor.
The threat actor gained access to the network through a compromised TeamViewer account.
This gave them access to a Domain Administrator’s account and from there they were able to SSH to the ESXi server and run a python script to encrypt the VMs.
The attacker was able to encrypt ESXi virtual disks on the host. This meant that recovery was much harder than if the VMs themselves had been targeted.
The attacker connected to ESXi over SSH.
This is disabled by default and VMWare advise that it should remain disabled when not in use. A warning can be seen in the web interface when it’s enabled.
Containment, Mitigations & Remediations
VMware have published guidance on securing ESXi on their website.
The initial breach was through a compromised TeamViewer account. TeamViewer and other remote access tools should have MFA enabled where available.
Indicators of Compromise
A VM server would normally provide some protection against ransomware as VMs could be shut down and restored to contain the breach.
By targetting the hypervisor itself, the threat actor was able to use this control to their advantage.