Tag Archive for: quickly
New Python-based Ransomware Encrypts Virtual Machines Quickly
Sophos cybersecurity researchers have discovered a Python-based ransomware operation that escalated from a compromised corporate network to encrypted virtual machines in just three hours.
VMware ESXi datastores rarely have endpoint protection, the researchers noted, and they host virtual machines (VMs) that likely run critical services for the business, making them a very attractive target for hackers. In the threat landscape, it’s like winning the jackpot.
In this case, the attackers employed unusual techniques to lock data and prevent any recovery.
Why the Hackers Used Python
Python is a powerful programming language that can easily interact with the operating system with just a few lines of code, and ESXi servers are Linux-based systems that often have Python pre-installed.
Python is pretty convenient for invoking commands from other programs using the OS module. In this case, the hackers uploaded a light Python script called fcker.py containing ESXi Shell commands such as vim-cmd vmsvc/getallvms and vim-cmd vmsvc/power.off.
These instructions are used to list all VMs and shut them down, necessary for starting the encryption. Then the script encrypts files in the /tmp directory with a single line of code invoking an openssl command. After that, the script overwrites original files with a certain four-letter curse word and covers its tracks by removing itself and generated files, including the vms.txt file that lists all VM names. Lastly, encrypted files are moved back from the /tmp directory to the datastore location.
The finishing touch is that the script contains configurable parameters such as email addresses for payments, file suffix for encrypted files, and encryption keys, making the code reusable using functions and variables.
How the Attackers Gained Unauthorized Access
To be able to run that script, the hackers had to compromise the network first. They targeted a TeamViewer account that didn’t have multi-factor authentication enabled and ran in the background of an administrator’s computer.
They downloaded tools to scan the network and open the SSH connection. Unluckily, the administrator had his password manager still open in a browser tab. The attackers found…
Colonial Pipeline CEO tells Senate decision to pay hackers was made quickly
Colonial Pipeline CEO Joseph Blount said Tuesday that his company paid hackers a $4.4 million ransom a day after discovering malware on its systems in early May. The company also hired outside consultants to handle negotiations with the hackers, who were paid in the bitcoin cryptocurrency.
© Provided by CNET
Colonial Pipeline was the target of a ransomware attack that forced it to shut down operations. Jim Watson/Getty Images
![a close up of a sign: Colonial Pipeline was the target of a ransomware attack that forced it to shut down operations. Jim Watson/Getty Images](https://www.bing.com/news/{"default":{"load":"default","w":"80","h":"53","src":"//img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gCm6S.img?h=532&w=799&m=6&q=60&o=f&l=f"},"size3column":{"load":"default","w":"62","h":"42","src":"//img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gCm6S.img?h=415&w=624&m=6&q=60&o=f&l=f"},"size2column":{"load":"default","w":"62","h":"42","src":"//img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1gCm6S.img?h=415&w=624&m=6&q=60&o=f&l=f"}})
Blount, who was testifying before the Senate Committee on Homeland Security and Governmental Affairs, said the decision to pay the ransom on May 8 was made by the company itself. Federal authorities, however, were notified of the hack within hours of its discovery.
Load Error
“I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,” Blount said. “I kept the information closely held because we were concerned about operational safety and security, and we wanted to stay focused on getting the pipeline back up and running.”
The testimony comes a day after the FBI said it had recovered millions of dollars in bitcoin paid to the DarkSide ransomware gang, which attacked the pipeline last month, prompting a shutdown of the East Coast’s main fuel-supply artery. The stoppage led to gasoline hoarding and soaring prices as motorists filled tanks amid uncertainty about supplies.
On Monday, the DOJ said it seized 63.7 bitcoins valued at a total of about $2.3 million, part of the ransom demanded by DarkSide. The criminal enterprise, which has since said it disbanded, is thought to be based in Russia.
The hack promoted the government to issue new cybersecurity regulations for operators of pipelines. The new security directive, issued by the DHS Transportation Security Administration, requires critical pipeline companies to report confirmed and potential cyberattacks to the US Cybersecurity and Infrastructure Security Agency. The directive also requires pipeline companies to undertake a review of their current security practices to identify any risks or gaps. Companies must report results of these reviews to the TSA and CISA within 30 days.
This easy-to-use information-stealing trojan malware is quickly gaining popularity among cyber criminals – ZDNet
This easy-to-use information-stealing trojan malware is quickly gaining popularity among cyber criminals ZDNet
“exploit kit” – read more