Beware of Ransomware attacking your Virtualization Environment


Recently, two ransomware gangs, RansomExx and Darkside Group, have launched attacks against VMware ESXi environments and encrypting their virtual hard drives. A third group that operate the Babuk Locker ransomware have also threatened attacks, although none have been attributed to them yet.


These ransomware attacks exploit VMware vulnerabilities CVE-2019-5544 and CVE-2020-3992 by sending malicious Service Location Protocol (SLP) requests to take control of ESXi servers and encrypt the virtual hard disk files. SLP is a protocol used by devices, including ESXi servers, on the same network to discover each other. From the cases reported, most of the virtual machines cannot boot after the attack forcing critical business operations to go down. The only way to recover is to restore data from backups or create new VMs.  Currently, there is no tool to decrypt data.  


Security experts from Sangfor FarSight Labs recommend the following:
  1. Install VMware ESXi patches immediately and disable SLP unless necessary.
  2. Upgrade all VMware and application components as quickly as possible.
  3. Regularly backup or snapshot virtual machines. It is recommended to create a remote backup site or disaster recovery site if possible.


Sangfor XDDR Security Framework has already updated protections for this threat:

  1. Sangfor Endpoint Secure: update you signature database to 20210317164718 or higher. Make sure you are connected to Sangfor Neural-X.
  2. Sangfor NGAF: update your vulnerability DB to 2021-3-18 or higher. Make sure Sangfor Neural-X is connected.
  3. Sangfor Cyber Command: update to latest version and make sure Sangfor Neural-X cloud is connected



Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Black Friday and Cyber Monday 2022: Will Ransomware Break Records?

Date : 24 Nov 2022
Read Now

Cyber Security

National Cybersecurity Strategy Launched: the Italian Breakthrough in Cybersecurity

Date : 22 Nov 2022
Read Now

Cyber Security

Surviving the Recession Era: What IT and Cyber security Preparation Do Organizations Need

Date : 21 Nov 2022
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
NGAF - Next Generation Firewall (NGFW)
SASE Access
icon notification