Reverse engineering of the RansomEXX/Defray777 ESXi ransomware, displaying the strings found. As long as the host is still running, the ransomware monitors the virtual machines and will encrypt any new vmdk or other virtual machine files that are put on shared datastores that it can reach. However, they will usually not survive a reboot, and will need a complete reinstallation. It will also encrypt the ESXi host itself including all log files, so unless you have central tamper-proof logging in place it will be very difficult to secure forensic evidence regarding how the attack was carried out.ĭespite the encryption, the ESXi hosts will usually remain running since they have already loaded the system files into memory. The ransomware will encrypt all virtual machines' vmdk files on all attached datastores. Screenshot of ESXi virtual machine files encrypted by RansomEXX/Defray777 A future blog post will analyze this in more detail and provide more suggested protections. This could for example be done through an RCE vulnerability such as the one for SLP in ESXi or through Active Directory->vCenter Server->ESXi, but also in other ways. This blog post won't go into the technical details on how the attacker gets into the ESXi hosts to execute the actual ransomware. This can greatly increase the scope and speed of the attack, which is bad news for us. The benefit of this method from the attackers' side is that they can encrypt numerous systems without having to reach them all over the network and obtain administrative privileges. We have recently seen an increase in ransomware attacks where the encryption is executed from the virtualization platform (ESXi or Hyper-V hosts) rather than from inside each guest operating systems (Windows, Linux etc).
If you are using ESXi, then please check out the other article in here on how to access the VMware ESXi Console: VMware ESXi – Console Access (Unsupported)Īfter logging into the VMware Console you will need to run the following command as shown in the image below to open the host file of you VMware:Įnter the host names & ip addresses in the host file as shown in the image below: If you are using ESX, then logging in to the service console is straight forward. The steps below show what to do after you login to the console of your VMware Server. What if you did not even have a DNS & still want to implement HA & other feature that depend on name resolution, then again adding the records to the host file is the solution. Would you like a way to ensure that your HA will work even if your DNS fail? then Adding these records to the host files of each of the ESXi server in the cluster will do the trick.
What if DNS fail? As many customers are using Microsoft DNS as their primary means of DNS, there is a chance it will fail a day or another. As your VMware HA is dependant on your servers being able to resolve the names of itself & other ESX server in the cluster, the DNS get to play a major role in HA. If you are as paranoid with redundancy as my team & I are, then entering the hostnames & IPs of all the server in a cluster into the VMware host file is a must.