But this ransomware appears to create a unique key every time it is run. Normally, an attacker would only need to embed the “public key” that the attacker generated on their own machine and would be used to encrypt files on the targeted computer(s). One thing that we noticed while walking through the code was the presence of multiple, hardcoded encryption keys, as well as a routine for generating even more encryption key pairs. Finally, it deletes the files that contain the directory listings, the names of the VMs, and itself by overwriting those files before deleting them. The script then overwrites the contents of the original file with just the word fuck then deletes the original file. txt The file encryption function within the Python script Using a single instruction for each file it encrypts, the script invokes the open-source tool openssl to encrypt the files with the following command: openssl rsautil -encrypt -inkey pubkey.txt -pubin -out. Only when the VMs have powered off will the script begin encrypting the datastore volumes. It then executes the ESXi Shell command vim-cmd vmsvc/power.off, one time for each VM, passing the VM names to the command as a variable, one at a time. Initially, the script “walks” the filesystem of a datastore and creates a directory map of the drive, and inventories the names of every virtual machine on the hypervisor, writing them to a file called vms.txt. The script embeds the file suffix it appends to encrypted files ( ext), and email addresses ( mail, mail2) to be used to contact the attacker for payment of the ransom as variables. The script contains variables that the attacker can configure with multiple encryption keys, email addresses, and where they can customize the file suffix that gets appended to encrypted files. Only 6kb long, the small size of the script belies its abilities. Thanks to some solid forensics work, the Rapid Response team recovered a copy of the Python script, even though the attackers appeared to have overwritten it with other data before deleting the file. Each individual volume contained the virtual disk and VM settings files for multiple virtual machines. One by one, the attackers executed the Python script, passing the path to datastore disk volumes as an argument to the script. The Python script uses the vim-cmd command functions of the ESXi Shell to produce a list of the names of all virtual machines installed on the server, then shuts them all down. Three hours after the attackers scanned the network, they used their credentials to log into the ESXi Shell, and copied a file named fcker.py to the ESXi datastore, which houses the virtual disk images used by the VMs that run on the hypervisor. The criminals took advantage of this fortuitous situation when they found the shell was active. However, the last time they enabled the shell, they failed to disable it afterwards. This organization’s IT staff was accustomed to using the ESXi Shell to manage the server, and had enabled and disabled the shell multiple times in the month prior to the attack. ESXi servers have a built-in SSH service called the ESXi Shell that administrators can enable, but is normally disabled by default. Just before 2 am, the attackers downloaded an SSH client called Bitvise, and used it to log into a VMware ESXi server they identified using Advanced IP Scanner. The attackers logged on at 30 minutes past midnight in the target organization’s time zone, and ten minutes later downloaded and ran a tool called Advanced IP Scanner to identify targets on the network. The attackers initially accessed their foothold by logging in to a TeamViewer account (one which didn’t have multi-factor authentication set up), running in the background on a computer that belongs to a user with Domain Administrator credentials in the target’s network. The Python script embeds the text of the ransom note. In what was one of the quickest attacks Sophos has investigated, from the time of the initial compromise until the deployment of the ransomware script, the attackers only spent just over three hours on the target’s network before encrypting the virtual disks in a VMware ESXi server. A recently-concluded investigation into a ransomware attack revealed that the attackers executed a custom Python script on the target’s virtual machine hypervisor to encrypt all the virtual disks, taking the organization’s VMs offline.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |