A series of ransomware such as LockBit, HelloKitty, BlackMatter, RedAlert (N13V), Scattered Spider, Akira, Cactus, BlackCat and Cheerscrypt... all target VMware ESXi infrastructure following a similar sequence of actions.

Campaigns often start by attacking administrators. Most recently, hackers used Google ads to trick administrators into installing viruses hidden under popular administration software such as Putty and WinSCP. In other cases, hackers exploit system vulnerabilities to penetrate. From here, the hacker increases privileges to collect login information to VMware servers (ESXi, vCenter) by password brute force and some other methods.

In the next step, the ransomware virus is deployed and encrypts all data, including backup data. The virus even changes the system administrator password to make it difficult for victims during the decryption process.

In all campaigns, hackers always seek to expand the scope of attack, spreading ransomware to the entire system.

Virtualization platforms are a core component of every organization's information technology infrastructure, but they are often vulnerable to vulnerabilities and misconfigurations, making them easy targets for hackers.

To minimize the risks posed by such threats, organizations should ensure adequate monitoring and logging, create robust backup mechanisms, enforce strong authentication measures, restrict network to prevent horizontal movement.

And to ensure comprehensive network security, agencies, organizations and businesses need to be equipped with a comprehensive solution to prevent hackers and data encryption viruses that can monitor all locations where hackers can invade. Entering agencies and organizations includes: network layer, server system, websites and all work terminals... from there, immediately detect and prevent hackers and viruses before they occur. they harm the system.

Bkav