Recently, two ransomware gangs, RansomExx and Darkside Group, have launched attacks against VMware ESXi environments and encrypting their virtual hard drives. A third group that operate the Babuk Locker ransomware have also threatened attacks, although none have been attributed to them yet.
These ransomware attacks exploit VMware vulnerabilities CVE-2019-5544 and CVE-2020-3992 by sending malicious Service Location Protocol (SLP) requests to take control of ESXi servers and encrypt the virtual hard disk files. SLP is a protocol used by devices, including ESXi servers, on the same network to discover each other. From the cases reported, most of the virtual machines cannot boot after the attack forcing critical business operations to go down. The only way to recover is to restore data from backups or create new VMs. Currently, there is no tool to decrypt data.
Security experts from Sangfor FarSight Labs recommend the following:
- Install VMware ESXi patches immediately and disable SLP unless necessary.
- Upgrade all VMware and application components as quickly as possible.
- Regularly backup or snapshot virtual machines. It is recommended to create a remote backup site or disaster recovery site if possible.
Sangfor XDDR Security Framework has already updated protections for this threat:
- Sangfor Endpoint Secure: update you signature database to 20210317164718 or higher. Make sure you are connected to Sangfor Neural-X.
- Sangfor NGAF: update your vulnerability DB to 2021-3-18 or higher. Make sure Sangfor Neural-X is connected.
- Sangfor Cyber Command: update to latest version and make sure Sangfor Neural-X cloud is connected