The hackers behind the recent ransomware attacks against VMware ESXi hypervisor have reportedly modified the malware in a way that makes it more difficult for victims to use available decryption tools. A modified encryption routine encrypts a significantly larger amount of data.
Note
- Of course they improve. On the other hand, all exposed vulnerable systems have been hit. If you still haven’t noticed and taken basic counter measures: Do you really need that VMWare server?
- This is a cat and mouse game. This new attack seems to both encrypt 50% of the data (of files over 128 MB ) and leverage a new attack vector. The new ransom note no longer has the bitcoin address, but instead, asks victims to contact them via Tox (a peer-to-peer instant message protocol) for the crypto wallet to send payment. This is likely due to investigators collecting the prior wallet addresses and tracking activity. The target is still your ESXi hypervisor, so having it updated and not exposed to the Internet still matters. And while this attack appears to bypass SLP, you still want that service disabled, as well as the SSH daemon (except when you’re actively using it, then turn it back off.) Existing decryptors will have to be updated to handle the increase in encrypted data.
- The old adage “prevention is better than the cure” really applies when it comes to ransomware. So while scripts like this one produced by CISA are very welcome to help those who become victims of a ransomware attack I urge everyone to ensure they read the CISA guidance on preventing ransomware (https://www.cisa.gov/stopransomware/ransomware-guide) or that provided by the Europol NoMoreRansom project (https://www.nomoreransom.org/en/prevention-advice.html)
- The good news is that both security researchers and the Government have created automated scripts to recover the encrypted files. The bad but not unexpected news is that the adversary, or adversaries, have changed their techniques, tactics, and procedures in malware execution. Costs to recover, if possible, will certainly rise. Company leadership and Boards should refer to this event as they balance the economics of updating vs. cost in recovery and clean-up.
