In Before The Lock: ESXi

In Before The Lock: ESXi

insikt-group-logo-updated-3-300x48.png
Note de la rédaction : Ceci est un extrait d'un rapport complet. Pour lire l'analyse complète avec les notes de fin, click here to download the report as a PDF.

Executive Summary

As organizations continue virtualizing their critical infrastructure and business systems, threat actors deploying ransomware have responded in kind. Between 2021 and 2022 we observed an approximately 3-fold increase in ransomware targeting ESXi, with offerings available from many groups including ALPHV, LockBit, and BlackBasta. We identified and described detection strategies for multiple TTPs that are often seen prior to the dropping of the ransomware payload in order to create detections and mitigations that are based on real-world, threat-actor use of these tools. In addition to providing tool-specific detections such as YARA and Sigma rules, we also identified detections for common enumeration, exploitation, and persistence techniques. The detections and mitigations provided can be used not only for the tools assessed below but also for custom (threat actor-specific) tools that are outside the scope of this report. Organizations looking to threat hunt, detect, and mitigate pre-ransomware TTPs for ESXi systems should use the detections provided as a starting point to develop detections specific to their environment and as part of a layered security approach. The infancy of defensive products such as endpoint detection and response (EDR) or antivirus software (AV) currently available for ESXi, combined with organizations’ increased reliance on virtualization, creates an attractive target for threat actors and can potentially lead to operational downtime and reputational damage to an organization.

Key Takeaways

Background

Ransomware groups continue to evolve and expand their toolsets, focusing on more specialized targets and creating more refined tooling based on opportunities to make money. VMware ESXi is the market-leading, enterprise-grade hypervisor designed for deploying and serving virtual infrastructure. ESXi-targeting ransomware will continue to present a threat to organizations that are shifting towards virtualizing the majority of their server infrastructure. The practice of securing virtualized infrastructure is complicated due to the proprietary nature of the technology and the relative infancy of defensive products designed for it. As a result of these factors, ESXi presents an exceptionally attractive target for financially motivated threat actors.

In 2020, there were very few mentions of ESXi ransomware attacks, as threat actors primarily targeted Windows-based networks due to the availability of initial access presented by the pandemic and multiple critical vulnerabilities (such as CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781). As organizations responded with more effective defenses against ransomware and threat actors recognized the defensive gaps in virtualized networks, threat actors began to create ESXi-specific ransomware and techniques. In 2021, cyberattacks involving ESXi ransomware increased. During 2022, we observed a 3-fold year-over-year increase in ransomware attacks by a larger number of ransomware groups and advanced TTPs and tooling targeting virtualized infrastructure, as seen in Figure 1 below.

esxi-001.png
Figure 1: Ransomware Les attaques visant ESXi ont triplé en un an (Source : Recorded Future).

Note de la rédaction : Ceci est un extrait d'un rapport complet. Pour lire l'analyse complète avec les notes de fin, click here to download the report as a PDF.