Ransomware targeting VMware vSphere has emerged
https://www.crazycen.com/vmware/1905.html
March 15, 2021 8318 points 15 likes 10 comments
In the early morning of 2021.03.14, I woke up from my sleep. After user feedback, a large number of virtual machines were shut down, virtual machines were shut down, and they were in an unconnected state, and the user's production environment was shut down.
Xiao Cen and his colleagues, as well as users, participated in the business recovery together. It took a whole day to restore the business.
Poisoning phenomenon:
In a VMware vSphere cluster, only vCenter is in a normal state.
At the same time, a large number of Windows desktop PCs and notebooks in enterprises are encrypted.
VMware vSphere section
1. Browse ESXI Datastore and find that the virtual machine disk file .vmdk and virtual machine description file .vmx have been renamed. Manually open the .vmx file and find that the .vmx file is encrypted.
In the VMware vm-support log collection package, there are also documentation generated by ransomware.
Log diagnosis package collected by ESXI vm-support
Windows part
1. The Windows client appears to have files encrypted, with varying degrees of encryption, some users encrypt all disks, and some users partially encrypt files.
2. The Windows system log has been cleaned up and the source cannot be traced. PS: McAfee enterprise antivirus software is installed on the clients, but it does not play a protective role.
3. Using tinder, autoruns, and Sangfor EDR products, no abnormalities have been found for the time being.
How to handle this incident:
VMware vSphere section
1. Thanks to the daily snapshots of the customer's existing storage, after all the VMware vSphere virtualization hosts are rebuilt, a new LUN is created through the storage LUN snapshot and mounted to ESXI, and manual virtual machine registration is performed. Then start the virtual machine to gradually verify the data loss and restore the business.
2. The user has a data backup environment. Some VMware virtual machines stored on local disks cannot be restored by snapshots, so they can be restored through the entire virtual machine.
3. For virtual machines without snapshots and backups, you can only choose to give up. Reconstruct the virtual machine later.
4. The existing virtualization environment has been upgraded.
VMware's security bulletin
The modified vulnerability mainly uses the Openslp component vulnerability used by VMware to attack.
VMware mitigation plan
Disable ESXI SLPD service, but vCenter does not work
How to Disable/Enable CIM Server on VMware ESXi (76372)
Patch solution:
Search for patches for the corresponding versions of Esxi and vCenter, and then upgrade.
https://my.vmware.com/group/vmware/patch#search
Windows part
1. For the Windows client, disconnect the network and quickly rescue data.
2. Turn on the anti-ransomware function of the antivirus software.
Reflections and suggestions on ransomware:
1. Data backup is very important and is often the only life-saving straw after a disaster. It is recommended to have multiple data backups and store them on different media.
2. Storage-level redundancy is also necessary, such as storage snapshots, replication, cloning and other technologies. These technologies are very fast in backup and restore, which is conducive to rapid business recovery. At present, mainstream mid-range storage basically supports storage snapshots. It is recommended to use regular LUN snapshots to protect corporate data.
3. Pay attention to the manufacturer's security announcements, and promptly upgrade the software and hardware environments in the existing environment.
Related Links:
Ransomware gangs are abusing VMWare ESXi exploits to encrypt virtual hard disks