Sophos cybersecurity researchers have discovered a Python-based ransomware operation that escalated from a compromised corporate network to encrypted virtual machines in just three hours.
VMware ESXi datastores rarely have endpoint protection, the researchers noted, and they host virtual machines (VMs) that likely run critical services for the business, making them a very attractive target for hackers. In the threat landscape, it’s like winning the jackpot.
In this case, the attackers employed unusual techniques to lock data and prevent any recovery.
Why the Hackers Used Python
Python is a powerful programming language that can easily interact with the operating system with just a few lines of code, and ESXi servers are Linux-based systems that often have Python pre-installed.
Python is pretty convenient for invoking commands from other programs using the OS module. In this case, the hackers uploaded a light Python script called fcker.py containing ESXi Shell commands such as vim-cmd vmsvc/getallvms and vim-cmd vmsvc/power.off.
These instructions are used to list all VMs and shut them down, necessary for starting the encryption. Then the script encrypts files in the /tmp directory with a single line of code invoking an openssl command. After that, the script overwrites original files with a certain four-letter curse word and covers its tracks by removing itself and generated files, including the vms.txt file that lists all VM names. Lastly, encrypted files are moved back from the /tmp directory to the datastore location.
The finishing touch is that the script contains configurable parameters such as email addresses for payments, file suffix for encrypted files, and encryption keys, making the code reusable using functions and variables.
How the Attackers Gained Unauthorized Access
To be able to run that script, the hackers had to compromise the network first. They targeted a TeamViewer account that didn’t have multi-factor authentication enabled and ran in the background of an administrator’s computer.
They downloaded tools to scan the network and open the SSH connection. Unluckily, the administrator had his password manager still open in a browser tab. The attackers found…