News & AnalysisSecurity

What Firms Should Know About A New Python Ransomware that Targets VMs


Ransomware attacks have doubled since the first half of the year and are targeting over 50% of organizations globally. A recently observed attack employed a Python-based ransomware variant to target an organization’s VMware ESXi server and encrypt all virtual disks, Sophos report.

The attackers, Sophos’ security researchers explain, were rather quick to execute the ransomware: the encryption process started roughly three hours after initial compromise. The attack involved the use of a custom Python script that, once executed on the target organization’s virtual machine hypervisor, took all VMs offline.

For initial access, the attackers compromised a TeamViewer account that did not have multi-factor authentication set up, and which was running in the background on a computer belonging to a user that had Domain Administrator credentials.

The attackers waited 30 minutes past midnight in the organization’s time zone to log in, then downloaded and executed a tool to identify targets on the network, which allowed them to find a VMware ESXi server, Sophos explains.

While the Python programming language is not commonly used in ransomware development, it is a logical choice for ESXi systems, seeing that such Linux-based servers come with Python installed by default.

As Sophos researchers recently discovered while investigating a ransomware incident, a Python ransomware script was used to encrypt a victim’s virtual machines running on a vulnerable ESXi hypervisor within three hours of the initial breach

“A recently-concluded investigation into a ransomware attack revealed that the attackers executed a custom Python script on the target’s virtual machine hypervisor to encrypt all the virtual disks, taking the organization’s VMs offline,” SophosLabs Principal Researcher Andrew Brandt said.

“In what was one of the quickest attacks Sophos has investigated, from the time of the initial compromise until the deployment of the ransomware script, the attackers only spent just over three hours on the target’s network before encrypting the virtual disks in a VMware ESXi server.”

“Administrators who operate ESXi or other hypervisors on their networks should follow security best practices, avoiding password reuse, and using complex, difficult to brute-force passwords of adequate length,” Brandt recommended.

Mieng Lim, VP of product management at Digital Defense by HelpSystems, said, “Ransomware threats are constantly evolving. From the commoditization of ransomware through the recent availability of as-a-service tools, to increasingly sophisticated attack strategies, it is a threat landscape that demands constant monitoring and education from organizations and governments alike. This is perfectly illustrated by the new strain of ransomware discovered by Sophos this week.”

“Typically, hackers enter their victim’s systems and linger undetected, harvesting data and identifying targets before they deploy a targeted ransomware attack. However, this new python-based ransomware enters systems and initiates an attack within a few hours, making fast-acting threat detection and response absolutely essential for businesses,” explained Lim.

According to her, “The first step in building an effective ransomware mitigation strategy is always setting realistic expectations. Ransomware breaches are no longer fully preventable, so businesses must focus on layering defensive barriers between an attacker and their most sensitive data. Running regular penetration testing and vulnerability scanning can help an organization identify and repair possible attack vectors, closing backdoors before an attacker can enter them and minimizing an attacker’s ability to escalate their privileges once inside the system.”

However, for any organization looking to improve its cyber threat response time, threat detection tools are a must. Network Traffic Analysis (NTA) works to monitor a network for any suspicious activity, detecting ransomware breaches and infection as quickly as possible. On top of these, active threat scans can give the organization peace of mind. As Lim recommends, “If a breach is spotted, it is important to reassess the state of the IT environment to ensure that there isn’t a repeat attack. Unfortunately, we live in an era where preventing 100% of cyber risks is no longer possible, but constant vigilance, ongoing-cyber threat education, and a well-planned threat detection and response strategy will go a long way towards keeping your organization’s most sensitive data safe.”

Leave a Response