This New Python-based Ransomware Unfolds Attacks in Record Time

What do we know?  

• Sophos revealed that a new ransomware variant written in Python was deployed ten minutes after attackers broke into a TeamViewer account of the targeted organization.  
• The unauthorized access to the TeamViewer account enabled the attackers to identify a vulnerable VMware ESXi server suitable for the next stage of the assault. 
• Researchers explained that the server was likely vulnerable to exploitation due to an active shell, and this led to the installation of Bitvise software.
• The threat actors made use of Bitvise to tap into ESXi and other virtual disk files.     

About Python-based ransomware

• The ransomware includes different sets of encryption keys, email addresses, and options for customizing the suffix to append the encrypted files.  
• Once installed, the ransomware disables all VMs and begins encryption, making it difficult for victims to decrypt the files. 

VMs are becoming a valuable target

• While the choice of Python for the ransomware showcases attackers’ evolving approach but going after the ESXi server is nothing new.
• Previously, Linux versions of REvil, HelloKitty, and DarkSide ransomware were spotted targeting the VMware ESXi servers to evade detection from anti-virus software.

Final words