Data center VMs have become more of a ransomware target, because from a hacker’s perspective, a corrupted VM can cause more damage with less effort. A strong security strategy to protect VMs against ransomware must include proactive measures as well as how to address incidents when they occur.
Many bad actors that launch ransomware attacks are extremely patient in their approach. They wait until either they have data exfiltrated from the network for further exploitation or they complete the required reconnaissance to damage their target. Once hackers can launch this type of attack, it can be very difficult to stop.
Within the past year, admins have had to tackle growing ransomware attacks. March 2022 saw a new attack called “Cheers” that targets VMware ESXi servers. This Linux-based ransomware launches once it has access to the system, counts any active VMs and then shuts them down with an esxcli command. The scheme’s goal seems to be data exfiltration and double-extortion attacks to gain data.
In May 2021, VMware posted security advisory VMSA-2021-0010. This vulnerability was especially dangerous: “A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.” Unrestricted privileges make it possible to insert any type of malware into the VMs under vCenter server management.
Most corporate data centers have interconnected storage and servers on the same network infrastructure. When coupled with distributed authentication systems such as Microsoft’s Active Directory, there is the potential for an attacker to gain access to anything inside the corporate firewall as well as cloud-based infrastructure.
Prevention is key
Defense is a key strategy to implement against ransomware. Zero-trust adoption is one way IT teams keep up with the latest threats. The main tenets of zero-trust are the following:
- Verify explicitly. Confirm that information sources include location, device compliance and multifactor user authentication.
- Use least-privileged access. Every user must have limited access, which considers risk-based policies that provide minimal privileges to accomplish a specific task.
- Assume breach. Use tools for intrusion detection and encryption to protect critical resources, and evaluate the potential effects of a compromise.
Bob Plankers, staff security and compliance architect at VMware, addressed the VMSA-2021-0010 vulnerability on the company blog.
“In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,” he wrote.
Comprehensive and regularly scheduled security patching is a key component of any security plan. Admins can also regularly verify and test functional backups and disconnected images.
Guidelines and frameworks
IT teams must plan how to respond to an attack before it happens. NIST special publication 800-61 provides a comprehensive summary of the steps required to build a computer security incident response capability.
The NIST document breaks down the incident response lifecycle into four areas:
- Preparation. Establish an incident response capability ahead of time and ensure infrastructure is secure.
- Detection and analysis. Use antivirus software, log analysis software and automated detection to identify and evaluate potential events.
- Containment, eradication and recovery. Isolate an event or virus so that incident response teams can develop a remediation strategy and reduce spread.
- Post-incident activity. Meet to address what happened and how to prevent such an incident in the future.
Section 3.2.1 makes an important point: “Incidents can occur in countless ways, so it is infeasible to develop step-by-step instructions for handling every incident.” For this reason, organizations should focus on common attack vectors, such as external media, web-based and email attachments, and specific actions categorized as insider threats.
To address potential access points at the user level, NIST special publication 800-83 is titled “Guide to Malware Incident Prevention and Handling for Desktops and Laptops.” IT teams that can stop attacks at the user level prevent further damage to the overall system and reduce the chance of a hacker getting privileged credentials.
Prepare for ransomware attacks
For many companies, the risks of ransomware extend to solvency or ruin. While virtualization can consolidate workloads that previously required multiple servers onto a single host, it has also made those host machines even higher-priority targets.
IT teams can follow the guidelines the NIST publications outline. Identify the most important assets, such as customer databases or accounting systems, and ensure there is an off-site backup. However, just having a backup in place isn’t necessarily going to protect an organization from an attack.
Disaster recovery plans should include the potential for a major security breach and provide for continuity of operations if a ransomware attack occurs. Any recovery efforts should address what assets must be recovered, how and when they will be restored, and what part of the data is infected.
Organizations should have a list of individuals and companies to contact in case the worst happens. Most SMBs don’t have the technical wherewithal to handle a serious security breach, so be sure to find a security or disaster recovery service provider that can.