The ransomware was discovered by MalwareHunterTeam, who tweeted images of the malicious actor’s data leak webpage. The ransomware was called RedAlert as it has this name in the ransom note left for the victims, however, the criminals call their operation N13V, as we can see from the screenshots provided by the BleepingComputer website.
We know that ransomware is designated for VMware ESXi servers as it is targeting specific files, which belong to ESXi virtual machines, like log files, swap files, virtual disks, and memory files:
- .log
- .vmdk
- .vmem
- .vswp
- .vmsn
In-depth video analysis of the ransomware here:
PS. Don’t forget to subscribe to my channel! Thanks and enjoy the video:
How to protect your environment?
There are few options for us to protect our virtual environments against not only ransomware software but all other malicious threads.
- Keep your strategic VM backed up. Yes, virtual machines. In the event of being a victim of ransomware, you can rebuild ESXi host and restore your VMs from backup.
- Have your network segmented. Always keep your ESXi hosts on a separate network from the network users browse the Internet.
- Disable SSH service.
- Keep your hosts in Lockdown mode.
Keeping services off and Lockdown mode on could be hard to police, especially if there are few administrators. Someone can change the settings for troubleshooting purposes and forget to put every security measure back in place.
Therefore today I am going to show you two short PowerShell scripts, to keep SSH off and Lockdown mode on. You can use them to build one script or run them separately as a daily job to keep everything under control. In my case, those two small scripts are part of one big script where I put all hardening recommendations.
$vmhosts = get-vmhost | where {$_.State -eq "Connected" -or $_.State -eq "Maintenance"}
#SSH
$ssh = $vmhosts | get-vmhostservice | where-object {$_.key -eq "TSM-SSH"}
$sshon = $ssh | where {$_.Running -eq "True"}
$sshon | stop-vmhostservice -confirm:$false
$sshon | set-vmhostservice -policy "Off" -Confirm:$false
#LOCKDOWN ESXI
$lockesx = get-vmhost
foreach ($lock in $lockesx) {
$HostAccessManager = Get-View $lock.ExtensionData.ConfigManager.HostAccessManager
$HostAccessManager.UpdateLockdownExceptions($null)
if (get-view $lock.extensiondata.configmanager.HostAccessManager | where lockdownmode -ne lockdownNormal) {
(get-vmhost $lock | get-view).EnterLockdownMode()
}
}
Please like and share to spread the knowledge in the community.
Subscribe to my channel: https://bit.ly/3vY16CT
If you want to chat with me please use Twitter: @AngrySysOps
Join my VMware Knowledge Base Group: https://bit.ly/3w54tbc
Visit my FB page: https://www.facebook.com/AngrySysOps
Read my blog: https://angrysysops.com
Subscribe to my channel: https://bit.ly/3vY16CT
