An article on duo.com describes a ransomware vector of great concern – exploit a vulnerability in an ESXi host, encrypt the data storage for dozens, possibly hundreds of hosts simultaneously.

The LockBit ransomware-as-a-service (RaaS) group has over the past year targeted various organizations globally, including ones in Chile, Italy and the UK. Researchers with Trend Micro in an analysis this week said they uncovered an announcement for LockBit Linux-ESXi Locker version 1.0 in October, made on the underground forum RAMP for potential affiliates. Since then, they have seen numerous samples in the wild – though they have not yet seen any organizations actually targeted by the variant yet.

Several other ransomware groups – including ones behind the BlackMatter, AvosLocker and HelloKitty ransomware groups – have shifted their efforts to target the ESXi platform, which is a hypervisor developed by VMware that is used by enterprise organizations to deploy and manage virtual machines.

As more organizations transition to ESXi, researchers said attackers increasingly view this platform as lucrative for ransomware attacks. Because the ESXi hypervisor allows multiple VMs to share the same hard drive storage, this creates an opportunity for attackers to target these centralized virtual hard drives used to store data from across VMs – creating a larger potential for disruption for companies.

Eyewitness accounts from the field claim their estate was exploited through an Enhanced Linked Mode (ELM) misconfiguration, and that encryption across the cluster took seconds. Time to enable MFA if you haven’t, check your user lists, and disable AD integration, if you can manage it.

[ via duo.com ]