"How Ransomware Attackers Hit Virtual Machine Hypervisors"

Researchers at the security firm Sophos released a new report detailing a ransomware attack against a victim's installation of VMware ESXi, an enterprise-class hypervisor that can partition servers into multiple virtual machines. The attack is notable for its speed as well as the defensive mistakes made by the victim, which includes keeping unnecessary functionality active and failing to apply multi-factor authentication to lock down remote-access tools for users who have administrative-level access to core systems. An attacker can forcibly encrypt multiple different systems simultaneously by hitting a hypervisor. If the hypervisor is hosting a multi-tenant environment, attackers could crypto-lock systems used by multiple organizations, providing them with more victims to extort. ESXi servers are an attractive target for ransomware attackers because they can enable an attack on multiple machines at once. This targeting could have a significantly larger impact as each of the virtual machines might be running business-critical applications or services. The particular group behind the attack remains unknown, but multiple ransomware groups, including REvil, BlackMatter, and HelloKitty, have been observed targeting ESXi. This article continues to discuss the ransomware attack that targeted a victim's installation of VMware ESXi, the different attack groups known to have targeted ESXi, and recommendations on securing the hypervisor. 

DeviceSecurity reports "How Ransomware Attackers Hit Virtual Machine Hypervisors"