New Python ransomware targets virtual machines, ESXi hypervisors to encrypt disks
A new strain of Python-based malware has been discovered by researchers, who observed it in a sniper campaign that was attempting to achieve encryption on a corporate system in less than three hours. The attack is one of the fastest recorded by Sophos researchers, who stated that the operators precision-targeted the ESXi platform to encrypt the virtual machines of the corporate victim. The malware was deployed just ten minutes after threat actors were able to break into a TeamViewer account belonging to the target organization. Sophos released a report detailing the attack on Tuesday.
Due to the fact that the software was installed on a machine used by an individual who owned domain administrator access credentials, it took the attackers just ten minutes to find a vulnerable ESXi server suitable for the next stage of assault. VMware ESXi is a bare-metal hypervisor used by vSphere to manage both containers and virtual machines. In this attack, the threat actors utilized Bitvise to tap into ESXi and the virtual disk files used by VMs within the company. Within three hours, the cyberattackers were able to deploy the Python ransomware and encrypt virtual hard drives. The malware created a map of the drive, inventoried VM names, then powered off each virtual machine to begin full database encryption.