After years of encrypting hard drives, ransomware threat actors have hit on a different target: virtual machines. A successful compromise of a “host” platform holding “guest” VMs allows efficient hackers to get riches for their ransomware.

For Andrew Betts, incident response lead at IT cybersecurity provider Airiam, attackers’ encryption of the VMware operating system known as ESXi can lead to disruption after decryption.

“Shifting to the ESXi level has definitely been more catastrophic than what they were doing previously [with] the OS-level encryption, where you can just do a simple file and folder restore for a lot of these machines with their specific applications,” said Betts.

Virtually possible. A number of ransomware gangs have zeroed in on virtual machines—VMware recently noted a number of ESXi targeters.

A Sophos post in October 2021 revealed encryption of virtual disks in a VMware ESXi server—at the time, one of the quickest attacks the company had investigated. Mandiant’s M-Trends 2022 report cited Hive, Conti, BlackCat, and DarkSide as threat actors targeting the virtualization platforms VMware vSphere and ESXi.

A set of virtualized servers in one place is a jackpot to cybercriminals, said Drew Schmitt, principal threat intelligence analyst at the cybersecurity services firm GuidePoint. “Now, you’re encrypting the entire server by just encrypting one file,” Schmitt told IT Brew.

Or, to put the efficiency in action-movie terms: “One throat to choke. Kill that, the whole thing dies,” said Conor Quinlan, CEO at Airiam.

Files and files.

Some examples of virtual-machine files:

• A .vmx file contains configuration details like hardware and RAM.
• A .vmdk provides all of the virtual machine’s data and represents the hard disk. (“The .vmdks are always hit,” according to Betts.)
• “Flat” files are the actual raw disk file for each virtual hard drive.

These objects update and change. A .vmdk, for example, must write its data to a flat file. An encrypted .vdmk prevents the sync-up.

Read more here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Gather ’round, Euro netizens—your privacy protections are going to continue to take precedence over US law.

President Biden signed a wide-ranging executive order on October 7 to strengthen data management privacy standards, a move intended to bring the US in line with EU requirements.

“These steps will provide the European Commission with a basis to adopt a new adequacy determination, which will restore an important, accessible, and affordable data transfer mechanism under EU law,” the White House said in a statement announcing the actions.

Biden’s order establishes a number of requirements and regulations for the handling of data, a response to a number of miscues and false starts that have plagued EU–US data sovereignty relations. It’s seen as a first step in formalizing the new EU–US Data Privacy Framework.

Two years of limbo. In 2020, a lawsuit filed against Facebook Ireland by an Austrian activist named Maximilian Schrems invalidated the EU–US Privacy Shield. That agreement, which facilitated data transfers, hasn’t yet been replaced, though there is a negotiated framework to replace the shield.

The full ramifications of the Schrems case weren’t fully appreciated in the US at first, said Kenneth White, a US-based cloud security researcher and the director of the Open Crypto Audit Project. Today, there’s a feeling of having to catch up, as cloud providers adapt data management to the countries their servers are located in and where their customers reside.

Yet, some of the concerns in Europe “about potential overreach” can miss the point of security and privacy protections, White said.

“What I think is missing in that conversation sometimes is that if a particular target is sought by a really well-resourced adversary, whether that’s a Western nation state or anyone else, it’s sufficiently motivated, there are technical means to get information,” White said.

Read about it here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.

Today’s top IT reads.

Stat: 45%. That’s the share of organizations deploying a password management solution—at a time when traditional password protection is increasingly under scrutiny for effectiveness. (Cybersecurity Dive)

Quote: “The current unregulated system of interagency access to millions of Americans’ records goes far beyond what a reasonable person would expect or tolerate.”—Senator Ron Wyden, on federal agency access to a database containing the personal information of millions of Americans (Ron Wyden)

Read: Soccer fans at this year’s World Cup will be subject to unprecedented levels of biometric surveillance. (Wired)

Builder’s paradise: Every company is a software company now, and with over 90 million developers, GitHub is the place for anyone from anywhere to build anything. Find a plan that works for your team here.*

^{*This is sponsored advertising content.}