{"id":18164,"date":"2021-03-26T22:34:48","date_gmt":"2021-03-26T18:34:48","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/ransomware-in-virtual-environment\/18164\/"},"modified":"2021-03-26T22:34:48","modified_gmt":"2021-03-26T18:34:48","slug":"ransomware-in-virtual-environment","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ransomware-in-virtual-environment\/18164\/","title":{"rendered":"Ransomware in a virtual environment"},"content":{"rendered":"

Although it significantly reduces some cyberthreat risks, virtualization is no more a panacea than any single other practice. A ransomware attack can still hit virtual infrastructure, as ZDNet<\/a> reported recently, for example through vulnerable versions of VMware ESXi,<\/p>\n

Using virtual machines is a strong and safe practice. For example, using a VM can mitigate the harm of an infection if the virtual machine holds no sensitive data. Even if the user accidentally activates a Trojan on a virtual machine, simply mounting a fresh image of the virtual machine reverses any malicious changes.<\/p>\n

However, RansomExx<\/a> ransomware specifically targets vulnerabilities in VMware ESXi to attack virtual hard disks. The Darkside group is reported to use the same method, and the creators of the BabukLocker Trojan hint<\/a> at being able to encrypt ESXi.<\/p>\n

What are the vulnerabilities?<\/h2>\n

The VMware ESXi hypervisor lets multiple virtual machines store information on a single server through Open SLP (Service Layer Protocol), which can, among other things, detect network devices without preconfiguration. The two vulnerabilities in question are CVE-2019-5544<\/a> and CVE-2020-3992<\/a>, both old-timers and thus not new to cybercriminals. The first is used to carry out heap overflow attack<\/a>s, and the second is of the type Use-After-Free<\/a> \u2014 that is, related to the incorrect use of dynamic memory during operation.<\/p>\n

Both vulnerabilities were closed a while ago (the first in 2019, the second in 2020), but in 2021, criminals are still conducting successful attacks through them.\u00a0 As usual, that means some organizations haven\u2019t updated their software.<\/p>\n

How malefactors exploit ESXi vulnerabilities<\/h2>\n

Attackers can use the vulnerabilities to generate malicious SLP requests and compromise data storage. To encrypt information they first need, of course, to penetrate the network and gain a foothold there. That\u2019s not a huge problem, especially if the virtual machine isn\u2019t running a security solution.<\/p>\n

To get entrenched in the system, RansomExx operators can, for example, use the\u00a0Zerologon<\/a>\u00a0vulnerability (in the Netlogon Remote Protocol). That is, they trick a user into running malicious code on the virtual machine, then seize control of the Active Directory controller, and only then encrypt the storage, leaving behind a ransom note.<\/p>\n

Incidentally, Zerologon is not the only option, just one of the most dangerous options because its exploitation is almost impossible to detect without special services<\/a>.<\/p>\n

How to stay protected from attacks on MSXI<\/h2>\n