Ransomware groups are now targeting VMware ESXi hypervisors in your environment. A new ransomware variant known as Black Basta was reported on a BleepingComputer article, and it details that is going after VMware ESXi servers. Let’s take a look at that ransomware as well as how you can effectively protect your VMware ESXi servers from this new dangerous threat.
This new threat is detailed by BleepingComputer, the title of the article “Linux version of Black Basta ransomware targets of VMware ESXi servers”. And so let’s just go over a few of the details that are known at this point. Most ransomware groups are now trying to attack ESXi VMs. If we think about it in the enterprise environment, if you can compromise the VMware ESXi hypervisor that has shared storage in a vSphere cluster, you’ve got everything, you’ve got all of their production critical workloads, there are servers, workstations, VDI environments, you name it.
This is not the first time that groups have attempted to do that. There have been others, including as the article mentions, LockBit, Hello Kitty, BlackMatter, REvil, Black Basta is one of the newest. BleepingComputer went on to detail about this ransomware that it does search for VMFS volumes directory, which is the default location for virtual machines running in vSphere. It will append a dot Basta extension to the encrypted file names and create ransom notes. They reach out at this point with a unique chat URL that you can actually interface with the ransomware group to work out payment details. As mentioned, it was spotted in the wild in April 2022. As mentioned, one of the security analysts had this to say the reason why most ransomware groups implemented a Linux based version of their ransomware is to target ESXi specifically.
So now let’s look at six ways that we can protect VMware ESXi from ransomware, such as Black Basta.
1. Segment your VMware ESXi management interface from the rest of your network. It is never a good idea to have your VMware ESXi management interface IP address on the same network as internet connected clients. Never, never, never have your VMware management interface IP on the same network as internet facing clients.
2. Always shutdown services that are dangerous to leave running on VMware ESXi case in point SSH. I can’t tell you how many environments I have been in where production VMware ESXi hosts were not only on client facing networks, but they also had dangerous protocols left running for no reason, specifically SSH.
3. How you assign permissions to your VMware vSphere environment. It is very common to see in many enterprise organizations where administrators that are domain administrators in a Windows Active Directory environment are also made by default as vSphere administrators in your VMware vSphere environment. It’s a dangerous proposition to have high level access from Windows domain accounts assigned to your VMware vSphere infrastructure.
Why is that? Well, attackers often go after and pound Active Directory to attempt to harvest credentials from your Active Directory environment. And it’s one of the most sought after environments as far as trying to compromise credentials. You want to separate that risk. You don’t want to have high level access both in Windows Active Directory as well as your VMware vSphere infrastructure only have very high level administrator permissions assigned to local vSphere accounts. That way you keep that risk separated once again from those Active Directory accounts that are often targeted for phishing campaigns, for brute force attacks, for weak passwords, compromised passwords, from breach password lists. Also implement two factor authentication for your vCenter server.
4. To protect your VMware ESXi server against ransomware attacks using Lockdown mode.
Now what is lockdown mode? Lockdown mode is a special mode of operation for VMware ESXi that locks down access to the ESXi server itself. That it is restricted to operations being performed from only vCenter server. Any configuration or other operations must be initiated from vCenter server, not the ESXi host directly. It’s a pretty easy process to enable security profile. You’re going to see Lockdown mode. Click Edit and then as you can see it brings up the configuration for lockdown mode. Either we want to enable Normal mode or Strict lockdown modes. So a great way to enforce the security of your VMware ESXi server against attacks such as ransomware.
5. Another way to protect your VMware ESXi server from ransomware is to use a little-known configuration setting called execinstalledOnly. And it’s an advanced configuration setting of a VMware ESXi host. Under the host UI you can click the Manage menu, then Advanced settings, and then search for execinstalledOnly. This is a simple True or False configuration setting that when it’s enabled, the execinstalledOnly setting basically says that the VMware kernel can only execute signed VIB files. And VIB files are the packages, installation packages that VMware ESXi knows and understands. So when this configuration setting is set to true, it will deny executing that are not signed VIB files. So it definitely is a great protection against ransomware that would target your VMware ESXi server.
6. To protect your VMware ESXi server from ransomware is to update VMware ESXi. Vulnerabilities allow attackers to compromise systems. So make sure that you keep your VMware ESXi server updated in that helps to reduce your attack surface for the attacks such as ransomware.
Well there you have it guys. Six ways that you can protect your VMware ESXi servers from attacks such as ransomware. And many of these are security best practices for hardening your ESXi servers as well as making them more challenging for attackers to compromise.
