Watch out! A newly discovered Python-based ransomware is using its unique tactics to achieve its malicious attempt in less than three hours. Researchers from Sophos have claimed it to be one of the fastest attacks launched against victims in record time.

What do we know?  

  • Sophos revealed that a new ransomware variant written in Python was deployed ten minutes after attackers broke into a TeamViewer account of the targeted organization.  
  • The unauthorized access to the TeamViewer account enabled the attackers to identify a vulnerable VMware ESXi server suitable for the next stage of the assault. 
  • Researchers explained that the server was likely vulnerable to exploitation due to an active shell, and this led to the installation of Bitvise software.
  • The threat actors made use of Bitvise to tap into ESXi and other virtual disk files.     

About Python-based ransomware

  • The ransomware includes different sets of encryption keys, email addresses, and options for customizing the suffix to append the encrypted files.  
  • Once installed, the ransomware disables all VMs and begins encryption, making it difficult for victims to decrypt the files. 

VMs are becoming a valuable target

  • While the choice of Python for the ransomware showcases attackers’ evolving approach but going after the ESXi server is nothing new.
  • Previously, Linux versions of REvil, HelloKitty, and DarkSide ransomware were spotted targeting the VMware ESXi servers to evade detection from anti-virus software.

Final words

The growing number of ransomware attacks leveraging virtual machines is a pressing issue that organizations must take care of. Hardening the security of ESXi and other hypervisors with complex passwords is one of the best security practices to prevent attacks. Wherever possible, enable the use of MFA, and enforce the same for accounts with privileged permissions such as domain administrators.      

Cyware Publisher