Python ransomware strikes virtual machines in 'ultra-high-speed' attacks

News
By
published

The attack was unique for its speed and use of a Python ransomware

ID theft
(Image credit: Future)

Cybersecurity experts have shared details about a speedy new ransomware campaign attacking virtual machines (VM) hosted on a VMware ESXi hypervisor.

Describing it as a sniper-like operation, Sophos researchers claim that it took the attackers less than three hours from breaching the target to encrypting it.

“This is one of the fastest ransomware attacks Sophos has ever investigated and it appeared to precision-target the ESXi platform,” said Andrew Brandt, principal researcher at Sophos. 

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The researchers note that while malware that runs under a Linux-like operating system, such as the one ESXi uses, is still relatively uncommon, hypervisors are an attractive target since the VMs they host usually run business-critical services.

Splash and dash

Sophos researchers add that even notorious ransomware operators such as DarkSide and REvil have targeted ESXi servers. 

However, two aspects of this particular attack that stand out are the swiftness shown by the attackers, and the use of the Python ransomware.

The attackers logged into the network after compromising a TeamViewer account that was running in the background on a computer that belonged to a user with Domain Administrator credentials. 

Ten minutes after logging in the attackers downloaded an IP scanner to map the network. Soon after identifying the ESXi server, the attackers discovered that the target’s staff had mistakenly forgotten to disable the built-in SSH service in ESXi.  

It didn’t take them long to log into the hypervisor to deploy the Python ransomware.

“Python is a coding language not commonly used for ransomware. However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems,” reason the researchers, who managed to scrape the ransomware for analysis after putting in some serious effort.

In their analysis, the researchers unravel the 6kb ransomware which was pretty dexterous and offered several customizable options to the attackers, in order to help admins secure their environments from a similar attack.

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
A person holding out their hand with a digital AI symbol.
This ransomware gang is using SSH tunnels to target VMware appliances
ransomware avast
AI is helping hackers get access to systems quicker than ever before
AI business data center
Cybercriminals are using virtual hard drives to drop RATs in phishing attacks
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
AMD VM security tools can be bypassed, letting hackers infilitrate your devices, experts warn
ransomware avast
“Every organization is vulnerable” - ransomware dominates security threats in 2024, so how can your business stay safe?
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
Latest in Security
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
Red padlock open on electric circuits network dark red background
AI-powered cyber threats are becoming the biggest worry for businesses everywhere
Woman using iMessage on iPhone
Apple to take legal action against British Government over backdoor request
Red padlock open on electric circuits network dark red background
Aviaton firms hit by devious new polyglot malware
A laptop with a red screen with a white skull on it with the message: &quot;RANSOMWARE. All your files are encrypted.&quot;
Major ransomware attack sees Tata Technologies hit - 1.4TB dataset with over 730,000 files allegedly stolen
Image of laptop infected with malware
Ransomware criminals are now sending their demands...by snail mail?
Latest in News
A hand holding a phone showing the Android Find My Device network
Android's Find My Device can now let you track your friends – and I can't decide if that's cool or creepy
Insta360 X4 360 degree camera without lens protector
Leaked DJI Osmo 360 image suggests GoPro and Insta360 should be worried – here's why
A YouTube Premium promo on a laptop screen
A cheaper YouTube Premium Lite plan just rolled out in the US – but you’ll miss out on these 4 features
Viaim RecDot AI true wireless earbuds
These AI-powered earbuds can also act as a dictaphone with transcription when left in their case
The socket interface of the Intel Core Ultra processor
Intel unveils its most powerful AI PCs yet - new Intel Core Ultra Series 2 processors pack in vPro for lightweight laptops and high-performance workstations alike
An Nvidia GeForce RTX 5070
Nvidia confirms that an RTX 5070 Founders Edition is coming... just not on launch day
More about security
Webex by Cisco banner on a Chromebook

Cisco warns some Webex users of worrying security flaw, so patch now
Image of laptop infected with malware

Ransomware criminals are now sending their demands...by snail mail?
ChatGPT Deep Research

I can get answers from ChatGPT, but Deep Research gives me a whole dissertation I'll almost never need
See more latest
Most Popular
Thanko monitor
At 11lbs, this double 24-inch 'portable' monitor is a bit too much for me but I love the audacity
Rocket Enterprise SSD
Sabrent launches its first 30.72TB SSD, but like all the others, you won't be able to run it on your PC (or buy it on Amazon)
Volkswagen ID.EVERY1 Concept Car
Volkswagen reveals the ID.1 concept car, which will spawn its cheapest all-electric model to date
Eurocom Raptor X17
This $12,000 laptop comes with 24TB RAID-0 SSD storage, 128GB of RAM, and Intel's most powerful mobile CPU - but no Nvidia RTX 5090M GPU
BYD Ling Yuan DJI Drone launcher
BYD’s new roof-mounted DJI drone launchpad looks like a dream for filming road trips – but less so for car safety
An AI face in profile against a digital background.
'Simulating scientists': A new AI tool wants to make serendipitous scientific discovery less human
A hand holding a phone showing the Android Find My Device network
Android's Find My Device can now let you track your friends – and I can't decide if that's cool or creepy
Webex by Cisco banner on a Chromebook
Cisco warns some Webex users of worrying security flaw, so patch now
A YouTube Premium promo on a laptop screen
A cheaper YouTube Premium Lite plan just rolled out in the US – but you’ll miss out on these 4 features
Viaim RecDot AI true wireless earbuds
These AI-powered earbuds can also act as a dictaphone with transcription when left in their case