Ransomware attacks targeting VMware ESXi infrastructure follow an established pattern regardless of the file-encrypting malware deployed, new findings show.
"Virtualization platforms are a core component of organizational IT infrastructure, yet they often suffer from inherent misconfigurations and vulnerabilities, making them a lucrative and highly effective target for threat actors to abuse," cybersecurity firm Sygnia said in a report shared with The Hacker News.
The Israeli company, through its incident response efforts involving various ransomware families like LockBit, HelloKitty, BlackMatter, RedAlert (N13V), Scattered Spider, Akira, Cactus, BlackCat and Cheerscrypt, found that attacks on virtualization environments adhere to a similar sequence of actions.
This includes the following steps -
- Obtaining initial access through phishing attacks, malicious file downloads, and exploitation of known vulnerabilities in internet-facing assets
- Escalating their privileges to obtain credentials for ESXi hosts or vCenter using brute-force attacks or other methods
- Validating their access to the virtualization infrastructure and deploying the ransomware
- Deleting or encrypting backup systems, or in some cases, changing the passwords, to complicate recovery efforts
- Exfiltrating data to external locations such as Mega.io, Dropbox, or their own hosting services
- Initiating the execution of the ransomware to encrypt the "/vmfs/volumes" folder of the ESXi filesystem
- Propagating the ransomware to non-virtualized servers and workstations to widen the scope of the attack
To mitigate the risks posed by such threats, it's recommended for organizations to ensure adequate monitoring and logging are in place, create robust backup mechanisms, enforce strong authentication measures, and harden the environment, and implement network restrictions to prevent lateral movement.
The development as cybersecurity company Rapid7 warned of an ongoing campaign since early March 2024 that employs malicious ads on commonly used search engines to distribute trojanized installers for WinSCP and PuTTY via typosquatted domains and ultimately install ransomware.
These counterfeit installers act as a conduit to drop the Sliver post-exploitation toolkit, which is then used to deliver more payloads, including a Cobalt Strike Beacon that's leveraged for ransomware deployment.
The activity shares tactical overlaps with prior BlackCat ransomware attacks that have used malvertising as an initial access vector as part of a recurring campaign that delivers the Nitrogen malware.
"The campaign disproportionately affects members of IT teams, who are most likely to download the trojanized files while looking for legitimate versions," security researcher Tyler McGraw said.
"Successful execution of the malware then provides the threat actor with an elevated foothold and impedes analysis by blurring the intentions of subsequent administrative actions."
The disclosure also follows the emergence of new ransomware families like Beast, MorLock, Synapse, and Trinity, with the MorLock group extensively going after Russian companies and encrypting files without first exfiltrating them.
"For the restoration of access to data, the [MorLock] attackers demand a considerable ransom, the size of which can be tens and hundreds of millions of rubles," Group-IB's Russian offshoot F.A.C.C.T. said.
According to data shared by NCC Group, global ransomware attacks in April 2024 registered a 15% decline from the previous month, dropping from 421 to 356.
Notably, April 2024 also marks an end to LockBit's eight-month reign as the threat actor with the most victims, highlighting its struggles to stay afloat in the aftermath of a sweeping law enforcement takedown earlier this year.
"In a surprising turn of events however, LockBit 3.0 was not the most prominent threat group for the month and had fewer than half of the observed attacks they did in March," the company said. "Instead, Play was the most active threat group, followed shortly after by Hunters."
The turbulence in the ransomware scene has been complemented by cyber criminals advertising hidden Virtual Network Computing (hVNC) and remote access services like Pandora and TMChecker that could be utilized for data exfiltration, deploying additional malware, and facilitating ransomware attacks.
"Multiple initial access brokers (IABs) and ransomware operators use [TMChecker] to check available compromised data for the presence of valid credentials to corporate VPN and email accounts," Resecurity said.
"The concurrent rise of TMChecker is thus significant because it substantially lowers the cost barriers to entry for threat actors looking to obtain high-impact corporate access either for primary exploitation or for sale to other adversaries on the secondary market."
