Beware of Ransomware attacking your Virtualization Environment

Recently, two ransomware gangs, RansomExx and Darkside Group, have launched attacks against VMware ESXi environments and encrypting their virtual hard drives. A third group that operate the Babuk Locker ransomware have also threatened attacks, although none have been attributed to them yet.

These ransomware attacks exploit VMware vulnerabilities CVE-2019-5544 and CVE-2020-3992 by sending malicious Service Location Protocol (SLP) requests to take control of ESXi servers and encrypt the virtual hard disk files. SLP is a protocol used by devices, including ESXi servers, on the same network to discover each other. From the cases reported, most of the virtual machines cannot boot after the attack forcing critical business operations to go down. The only way to recover is to restore data from backups or create new VMs.  Currently, there is no tool to decrypt data.  

Security experts from Sangfor FarSight Labs recommend the following:

  1. Install VMware ESXi patches immediately and disable SLP unless necessary.
  2. Upgrade all VMware and application components as quickly as possible.
  3. Regularly backup or snapshot virtual machines. It is recommended to create a remote backup site or disaster recovery site if possible.

Sangfor XDDR Security Framework has already updated protections for this threat:

  1. Sangfor Endpoint Secure: update you signature database to 20210317164718 or higher. Make sure you are connected to Sangfor Neural-X.
  2. Sangfor NGAF: update your vulnerability DB to 2021-3-18 or higher. Make sure Sangfor Neural-X is connected.
  3. Sangfor Cyber Command: update to latest version and make sure Sangfor Neural-X cloud is connected


Contact Us for Business Inquiry

Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Latest Cyber Security Breaches Crisis: Dell Data Breach, Hatari Electric Hack, and Boeing Cyber Attack

Date : 20 May 2024
Read Now
Cyber Security

Black Basta Ransomware Attack Targets Ascension Healthcare

Date : 18 May 2024
Read Now
Cyber Security

The AT&T Data Breach: Over 73 Million Customer Data Exposed

Date : 15 Apr 2024
Read Now

See Other Product

Best Darktrace Cyber Security Competitors and Alternatives in 2024
Sangfor Omni-Command
Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall