close
close
VMware ESXi servers targeted by new Linux ransomware variant

VMware ESXi servers targeted by new Linux ransomware variant

The Play ransomware group, best known for its double extortion tactics, launched a series of attacks against VMware ESXi servers.

In a July 19 blog post, Trend Micro researchers said that most of the attacks have been concentrated in the United States. The researchers explained that the ransomware will first verify that it is running on an ESXi environment before executing and that it has successfully bypassed security measures, such as those noted by Virus Total.

It was the second time in as many weeks that security teams had to deal with VMware ESXi issues. Last week, it was reported that VMware ESXi servers at numerous organizations had been continuously targeted over the past month by the SEXi ransomware operation run by APT INC.

In April, it was also reported that SEXi ransomware attacks targeted ESXi servers in the infamous attack on MGM Resorts last fall. This was also noted by Tom Siu, Chief Information Security Officer at Inversion6.

“This specific (case) describes an attack vector that relies on initial access using stolen or compromised credentials, but could also exploit a remote vulnerability if a vulnerability is discovered in the VMWare services,” Siu said.

Attackers targeting VMware ESXi environments pose a critical threat to enterprise infrastructure due to the hypervisor’s central role in managing virtualized resources, added Jason Soroko, senior vice president of product at Sectigo. Soroko said compromising an ESXi server could lead to widespread disruption, as a single attack could take down multiple virtual machines simultaneously, impacting core business operations and services.

“Play’s dual extortion tactics, which include encryption and exfiltration of data, increase the pressure on victims to pay the ransom,” Soroko said. “The addition of common lateral movement and persistence tools further underscores the strength of the threat.”

Saumitra Das, vice president of engineering at Qualys, said the growth in public and virtualized cloud and the associated misconfigurations have also coincided with the growth in Linux malware. In fact, Das said malware authors are increasingly moving to cross-platform frameworks, such as using GoLang to run their malware on different operating systems, and to reuse other command-and-control infrastructure around the malware.

“Linux malware is not as well studied as Windows variants due to their prevalence, but organizations need to pay much more attention to it as these systems are increasingly targeted by attackers,” Das said.

Patrick Tiquet, vice president, security and architecture at Keeper Security, added that the increasing popularity of cloud computing has led to a corresponding increase in VM usage, where multiple applications are consolidated onto a single physical server. This consolidation not only improves operational efficiency, but also provides attackers with the ability to compromise multiple services through a single breach, Tiquet said.

“As VM deployments continue to expand across cloud environments, they become even more attractive targets due to their shared resources and complex configurations,” Tiquet said. “VMWare instances, which are common in enterprise infrastructure, are particularly attractive to attackers due to their critical role and widespread adoption. Successful breaches not only disrupt services and cause financial losses, but can also lead to sensitive data exposure and regulatory violations, severely damaging an organization’s reputation.”

Tiquet added that effective protection strategies for virtualized and cloud environments go beyond patching vulnerabilities.

Organizations should enforce strict network segmentation to limit lateral movement, implement strong access controls, and regularly monitor for vulnerabilities, he continued. Security hardening practices, such as disabling unnecessary services and using encryption, along with robust incident response plans and comprehensive backup strategies, are critical defenses.

“Administrators should always ensure they are using a secure vault and secrets management solution, and they should apply the necessary patches and updates as soon as possible,” Tiquet said. “They should also review their cloud console security controls to ensure they are following the latest recommendations.”