At once, two ransomware programs received new features that allow them to attack VMware ESXi hypervisors and encrypt files in virtual machines.

Fortunately, attacks do not allow to hack into ESXi (a successful attack on the type-one hypervisor would mean compromising the host), according to experts from the information security company CrowdStrike. Ransomware operators rely on finding credentials to access the vCenter servers used to manage ESXi and the virtual machines.

After gaining access to credentials by extracting them from the browser or host memory, the attackers write the Linux version of Defray777 to /tmp/, using a filename of a legitimate tool (for example, svc-new).

Once launched, the malware enumerates system information and processes on the ESXi host. The group also knows enough about VMware and ESXi to attempt to remove VMware Fault Domain Manager, a tool that automatically reboots failed virtual machines.

Darkside ransomware encrypts some of the file formats used by ESXi.

"If ransomware attacks on ESXi servers continue to be successful, it is likely that more attackers will begin to attack the virtualization infrastructure in the medium term," CrowdStrike said.

Source: securitylab.ru