Among many ransomware attacks, probably the most lucrative are hypervisor targeted attacks where hackers can encrypt data on multiple machines all at once. Hypervisors, software that creates and runs virtual machines, represent an important function in every virtualization environment.
Ransomware attacks on hypervisors or any other emulation software are usually very disruptive and fast since a hacker only needs to infect one instance of it to reach many other virtualized machines.
Hypervisor in this article can refer to any of the following.
- VMware
- Hyper-V
- Nutanix – AVH
- Xen
- KVM
Among many ransomware attacks, probably the most lucrative are hypervisor targeted attacks where hackers can encrypt data on multiple machines all at once. Hypervisors, software that creates and runs virtual machines, represent an important function in every virtualization environment.
Ransomware attacks on hypervisors or any other emulation software are usually very disruptive and fast since a hacker only needs to infect one instance of it to reach many other virtualized machines.
Hypervisor in this article can refer to any of the following.
- VMware
- Hyper-V
- Nutanix – AVH
- Xen
- KVM
Hypervisor Ransomware - Attack Cycle
Almost all ransomware attacks start with compromised credentials. Hackers use various methods of acquiring login information to gain initial access to a system, phishing email attacks being the most common method. However, brute-forcing attempts are also conducted to gain privileges on a system from where reconnaissance takes place. If employee credentials are compromised or even worse, administrator-level accounts, hackers can easily start mapping the network components and identify different hosts on a network.
The next step in the ransomware attack is identifying the hypervisor server to gain access on the machine. Various scanning and enumeration scripts are used to identify the operating system and other host information to locate the hypervisor. Once the attackers identify their target, the next step of the attack entails gaining a remote shell, a command-line that allows code execution to another computer across the network, with administrator privileges on the hypervisor. If best practices are not followed, attackers might leverage an existing already open shell that is usually used for maintenance and system updates.
The final step of the attack always includes a script type that shuts down all virtual machines and begins the encryption process. At this point the attack is successful and a ransomware note is the next thing that is seen by the administrators or other users on the network.
Hypervisor Ransomware - Attack Cycle
Almost all ransomware attacks start with compromised credentials. Hackers use various methods of acquiring login information to gain initial access to a system, phishing email attacks being the most common method. However, brute-forcing attempts are also conducted to gain privileges on a system from where reconnaissance takes place. If employee credentials are compromised or even worse, administrator-level accounts, hackers can easily start mapping the network components and identify different hosts on a network.
The next step in the ransomware attack is identifying the hypervisor server to gain access on the machine. Various scanning and enumeration scripts are used to identify the operating system and other host information to locate the hypervisor. Once the attackers identify their target, the next step of the attack entails gaining a remote shell, a command-line that allows code execution to another computer across the network, with administrator privileges on the hypervisor. If best practices are not followed, attackers might leverage an existing already open shell that is usually used for maintenance and system updates.
The final step of the attack always includes a script type that shuts down all virtual machines and begins the encryption process. At this point the attack is successful and a ransomware note is the next thing that is seen by the administrators or other users on the network.
Mitigating Hypervisor Based Ransomware Attacks
As with every ransomware attack, proper cybersecurity practices need to be implemented and followed. Below are some of the crucial actions and steps that any organization should take to decrease the risk of a successful ransomware attack on hypervisors and other emulation software.
Mitigating Hypervisor Based Ransomware Attacks
As with every ransomware attack, proper cybersecurity practices need to be implemented and followed. Below are some of the crucial actions and steps that any organization should take to decrease the risk of a successful ransomware attack on hypervisors and other emulation software.
Use multi-factor authentication on all admin-level accounts
Restrict remote access shells on the hypervisor
Another important and easy measure is the restriction of remote access itself. Emphasize the dangers of leaving remote access shells running on critical infrastructure to your administrators. If an attacker compromises an administrator account, you will drastically help the attacker in his next stage of the attack in establishing access on the hypervisor. Practice closing all active remote access sessions once admin tasks are completed.
Avoid root access logins
Another measure related to access restrictions is the use of root-level accounts. Most day-to-day work performed by system owners and administrators does not require root-level access. It is recommended to create separate accounts on systems and use those accounts for day-to-day activities. Root accounts should only be used where necessary and for a limited amount of time.
Tighten the open ports on the hypervisor host
A simple measure can decrease the attack vector on the hypervisor by removing access to unnecessary ports. Unused services should be disabled.
Hypervisor lockdown mode
With lockdown mode active, the hypervisor hosts can only be accessed via the vCenter server. You can additionally allow a specific user access to service accounts.
Enable MFA for the hypervisor
To add another layer of protection, multi-factor authentication can be enabled on the hypervisor platforms. This will effectively limit a potential attacker from accessing the server and progressing in the attack chain.
Hypervisor account lockout
The account lockout feature is available with SSH access and is set to 10 failed login attempts by default. You can change the default parameters, but the main takeaway is the protection against any potential brute force attacks.
Regular AD access level auditing
It doesn’t make much sense to implement numerous levels of protection for administrator accounts if there aren’t solid access level audits conducted. Due to the dynamic nature of accounts, roles, and permissions, it is important to conduct regular Active Directory access auditing to ensure the principle of least privilege, limiting the potential damage that can arise from access level scope creep.
Use VLANs for additional segmentation of the network
Network segmentation should be a must in every network architecture planning and work. It is known to be one of the necessary steps in ensuring that an organization understands its network traffic flow. But it additionally enforces security best practices and increases the difficulty of a successful ransomware attack. Consider micro-segmentation as well, more specifically, segmenting the hypervisor from the rest of the machines in a LAN.
Ransomware has long been one of the major cyber security topics regarding cyber security threats. Attackers are seeking to decrease the length of time required for a successful ransomware attack.
One of the best ways to accomplish this is attacking emulation software such as a hypervisor to encrypt data on as many machines as possible with one swift action. Knowing this, organizations should take extra steps in planning, protecting, and maintaining the security of hypervisors. Understanding the attack cycle and critical mistakes that led to a successful ransomware attack on a hypervisor, organizations can take many steps outlined above to significantly decrease the risk of seeing a ransomware note on their machines.
Use multi-factor authentication on all admin-level accounts
Starting from one of the easiest measures to implement, applying 2FA authentication on all administrator accounts can effectively stop the ransomware attack before the attack even has a chance to gain access to a system. It is highly recommended to protect high privilege accounts to avoid a great deal of damage.
Restrict remote access shells on the hypervisor
Another important and easy measure is the restriction of remote access itself. Emphasize the dangers of leaving remote access shells running on critical infrastructure to your administrators. If an attacker compromises an administrator account, you will drastically help the attacker in his next stage of the attack in establishing access on the hypervisor. Practice closing all active remote access sessions once admin tasks are completed.
Avoid root access logins
Another measure related to access restrictions is the use of root-level accounts. Most day-to-day work performed by system owners and administrators does not require root-level access. It is recommended to create separate accounts on systems and use those accounts for day-to-day activities. Root accounts should only be used where necessary and for a limited amount of time.
Tighten the open ports on the hypervisor host
A simple measure can decrease the attack vector on the hypervisor by removing access to unnecessary ports. Unused services should be disabled.
Hypervisor lockdown mode
With lockdown mode active, the hypervisor hosts can only be accessed via the vCenter server. You can additionally allow a specific user access to service accounts.
Enable MFA for the hypervisor
To add another layer of protection, multi-factor authentication can be enabled on the hypervisor platforms. This will effectively limit a potential attacker from accessing the server and progressing in the attack chain.
Hypervisor account lockout
The account lockout feature is available with SSH access and is set to 10 failed login attempts by default. You can change the default parameters, but the main takeaway is the protection against any potential brute force attacks.
Regular AD access level auditing
It doesn’t make much sense to implement numerous levels of protection for administrator accounts if there aren’t solid access level audits conducted. Due to the dynamic nature of accounts, roles, and permissions, it is important to conduct regular Active Directory access auditing to ensure the principle of least privilege, limiting the potential damage that can arise from access level scope creep.
Use VLANs for additional segmentation of the network
Network segmentation should be a must in every network architecture planning and work. It is known to be one of the necessary steps in ensuring that an organization understands its network traffic flow. But it additionally enforces security best practices and increases the difficulty of a successful ransomware attack. Consider micro-segmentation as well, more specifically, segmenting the hypervisor from the rest of the machines in a LAN.
Ransomware has long been one of the major cyber security topics regarding cyber security threats. Attackers are seeking to decrease the length of time required for a successful ransomware attack.
One of the best ways to accomplish this is attacking emulation software such as a hypervisor to encrypt data on as many machines as possible with one swift action. Knowing this, organizations should take extra steps in planning, protecting, and maintaining the security of hypervisors. Understanding the attack cycle and critical mistakes that led to a successful ransomware attack on a hypervisor, organizations can take many steps outlined above to significantly decrease the risk of seeing a ransomware note on their machines.
See also: