Data center virtual machines have become more of a target for ransomware because from a hacker’s perspective, a corrupted virtual machine can cause more damage with less effort. A solid security strategy for protecting VMs from ransomware should include proactive measures as well as how to handle incidents when they occur.
Many malicious actors who launch ransomware attacks are extremely patient in their approach. They either wait until they have data exfiltrated from the network for later exploitation, or until they complete the reconnaissance required to damage their target. Once hackers can launch this type of attack, it can be very difficult to stop it.
Over the past year, administrators have had to contend with increasing ransomware attacks. March 2022 saw a new attack called “Cheers” which targets VMware ESXi servers. This Linux-based ransomware launches once it gains access to the system, counts all active virtual machines, then shuts them down with a esxcli ordered. The objective of the scheme appears to be data exfiltration and double extortion attacks to obtain data.
In May 2021, VMware released security advisory VMSA-2021-0010. This vulnerability was particularly dangerous: “A malicious actor with network access to port 443 can exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.” Unlimited privileges allow inserting any type of malware into virtual machines under vCenter server management.
Most enterprise data centers have interconnected storage and servers on the same network infrastructure. When combined with distributed authentication systems such as Microsoft Active Directory, it is possible for an attacker to gain access to anything inside the corporate firewall as well as the cloud-based infrastructure.
Prevention is key
Defense is a key strategy to implement against ransomware. Embracing zero trust is a way for IT teams to stay abreast of the latest threats. The main tenets of zero trust are:
- Check explicitly. Confirm that information sources include location, device compliance, and user multi-factor authentication.
- Use the least privileged access. Each user should have limited access, which considers risk-based policies that provide minimum privileges to accomplish a specific task.
- Assume a violation. Use intrusion detection and encryption tools to protect critical assets and assess the potential effects of a compromise.
Bob Plankers, Staff Security and Compliance Architect at VMware, discussed the VMSA-2021-0010 vulnerability on the company’s blog.
“In this age of ransomware, it’s safest to assume that an attacker is already somewhere on the network, on a desktop computer and maybe even under the control of a user account, that’s why we strongly recommend declaring an emergency change and applying a fix as soon as possible,” he wrote.
Applying comprehensive, regularly scheduled security patches is a key part of any security plan. Administrators can also periodically verify and test working backups and disconnected images.
Guidelines and Frameworks
IT teams need to plan how to respond to an attack before it happens. NIST Special Publication 800-61 provides a comprehensive summary of the steps needed to build a computer security incident response capability.
The NIST document breaks down the incident response life cycle into four areas:
- Preparation. Establish incident response capability in advance and ensure the infrastructure is secure.
- Detection and analysis. Use anti-virus software, log analysis software, and automated detection to identify and assess potential events.
- Containment, eradication and recovery. Isolate an event or virus so incident response teams can develop a remediation strategy and reduce the spread.
- Post-incident activity. Meet to discuss what happened and how to prevent such an incident in the future.
Section 3.2.1 makes an important point: “Incidents can occur in countless ways, so it is impossible to develop step-by-step instructions for handling every incident.” For this reason, organizations should focus on common attack vectors, such as external media, web-based attachments, and email, and specific actions classified as insider threats.
To address potential user-level access points, NIST Special Publication 800-83 is titled “Malware Incident Prevention and Response Guide for Desktop and Laptop Computers.” IT teams able to stop attacks at the user level prevent further damage to the entire system and reduce the chances of a hacker gaining privileged credentials.
Prepare for ransomware attacks
For many companies, the risks of ransomware extend to solvency or ruin. While virtualization can consolidate workloads that previously required multiple servers onto a single host, it has also made those host machines even higher priority targets.
IT teams can follow guidelines outlined in NIST publications. Identify the most important assets, such as customer databases or accounting systems, and ensure there is an offsite backup. However, simply having a backup in place is not necessarily going to protect an organization from an attack.
Disaster recovery plans should include the possibility of a major security breach and ensure business continuity in the event of a ransomware attack. Any recovery effort must determine what assets need to be recovered, how and when they will be restored, and what part of the data is infected.
Organizations should have a list of individuals and companies to contact in case the worst happens. Most SMBs don’t have the technical wherewithal to handle a serious security breach, so be sure to find a security or disaster recovery service provider that can.