New Python-based Ransomware Encrypts Virtual Machines Quickly

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Sophos cybersecurity researchers have discovered a Python-based ransomware operation that escalated from a compromised corporate network to encrypted virtual machines in just three hours.

VMware ESXi datastores rarely have endpoint protection, the researchers noted, and they host virtual machines (VMs) that likely run critical services for the business, making them a very attractive target for hackers. In the threat landscape, it’s like winning the jackpot.

In this case, the attackers employed unusual techniques to lock data and prevent any recovery.

Why the Hackers Used Python

Python is a powerful programming language that can easily interact with the operating system with just a few lines of code, and ESXi servers are Linux-based systems that often have Python pre-installed.

Python is pretty convenient for invoking commands from other programs using the OS module. In this case, the hackers uploaded a light Python script called fcker.py containing ESXi Shell commands such as vim-cmd vmsvc/getallvms and vim-cmd vmsvc/power.off.

These instructions are used to list all VMs and shut them

Read the article