Ransomware

Ransomware on the virtual machine complicates recovery

Ransomware is sliding into your VMs?
article cover

Francis Scialabba

· 3 min read

After years of encrypting hard drives, ransomware threat actors have hit on a different target: virtual machines. A successful compromise of a “host” platform holding “guest” VMs allows efficient hackers to get riches for their ransomware.

For Andrew Betts, incident response lead at IT cybersecurity provider Airiam, attackers’ encryption of the VMware operating system known as ESXi can lead to disruption after decryption.

“Shifting to the ESXi level has definitely been more catastrophic than what they were doing previously [with] the OS-level encryption, where you can just do a simple file and folder restore for a lot of these machines with their specific applications,” said Betts.

Virtually possible. A number of ransomware gangs have zeroed in on virtual machines—VMware recently noted a number of ESXi targeters.

A Sophos post in October 2021 revealed encryption of virtual disks in a VMware ESXi server—at the time, one of the quickest attacks the company had investigated. Mandiant’s M-Trends 2022 report cited Hive, Conti, BlackCat, and DarkSide as threat actors targeting the virtualization platforms VMware vSphere and ESXi.

A set of virtualized servers in one place is a jackpot to cybercriminals, said Drew Schmitt, principal threat intelligence analyst at the cybersecurity services firm GuidePoint Security. “Now, you’re encrypting the entire server by just encrypting one file,” Schmitt told IT Brew.

Or, to put the efficiency in action-movie terms: “One throat to choke. Kill that, the whole thing dies,” said Conor Quinlan, CEO at Airiam.

Files and files.

Some examples of virtual-machine files:

  • A .vmx file contains configuration details like hardware and RAM.
  • A .vmdk provides all of the virtual machine’s data and represents the hard disk. (“The .vmdks are always hit,” according to Betts.)
  • “Flat” files are the actual raw disk file for each virtual hard drive.
Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.

These objects update and change. A .vmdk, for example, must write its data to a flat file. An encrypted .vdmk prevents the sync-up.

Luna ransomware, which appeared in July of 2022 and seeks out ESXi instances, does not shut down the virtual machines—a tactic that may lead to file corruption after decryption.

When VM files are not fully shut down during the encryption process, the files themselves become corrupt because they are unable to write data as expected within ESXi, said Betts, leading to “trash” files. Because the talks between guest and host did not finish properly, the virtual files may be left in a misconfigured, unusable state, even after deploying a decryption tool.

“Files are corrupted because they weren’t able to shut down gracefully. So, things aren’t written into the .vmx and the .vmdks and the .flat like they’re supposed to,” Betts told IT Brew.

With threat actors turning virtual files into unusable ones, IT-service firms like Airiam hope clients have proper data backups. VM-based services like Veeam, Backblaze, and Acronis offer restoration of the full machine.

“The biggest challenge at the end of the day is going to be what do we have to work with to rebuild you,” said Betts.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to software development and gaming, IT Brew delivers the latest news and analysis of trends shaping the IT industry, like only The Brew can.