Table of Contents

Reading Time: 2 minutes

New Ransomware Tactic: Adversaries Target ESXi Servers to Maximize Impact

Targeted large ransom campaigns for ESXi servers, called big game hunting (BGH), remain the primary threat of e-crime to organizations across all sectors by 2020. These campaigns' relentless scale and pace mean that some sophisticated BG actors have not attracted much attention.

While the ransomware for Linux has been around for many years, BGH actors have historically not targeted Linux, much less the ESXi hypervisor.

This probably reflects the massive dominance of the Windows operating system in businesses and large organizations.

The victims involved organizations that used virtualization to host many of their corporate systems on several ESXi servers, creating a virtual jackpot for the ransomware.

By deploying a ransom program to these ESXi hosts, opponents rapidly increased the range of affected systems around the victims, resulting in additional pressure to pay a ransom demand.

What Is ESXi?

ESXi is a type-1 hypervisor, aka "bare-metal hypervisor," developed by VMware. The hypervisor is software that runs and manages virtual machines (VMs).

Unlike Type-2 hypervisors that run on a conventional host operating system, Type-1 hypervisors run directly on the dedicated host hardware. ESXi systems are typically run by vCenter, a centralized server administration tool that can control multiple ESXi devices.

While ESXi is not a Linux operating system, running some Linux ELF binaries within the ESXi command line is possible.

According to several estimates, VMware holds the vast majority of the global virtual machine market share, far ahead of its closest competitor.

This means that threat actor who wants to encrypt the virtual infrastructure may prioritize developing malware that could affect the VMware environment.

Also, you can get ESXi for free.

SPRITE SPIDER and Defray777 Ransomware

SPRITE SPIDER is an e-Crime actor who runs low-volume BGH ranking software campaigns using the Defray777 ransomware. SPRITE SPIDER also uses the Vatet loader and the PyXie Remote Access Tool (RAT).

Like other BG actors, SPRITE SPIDER was the first to compromise the domain controllers (DC). After gaining DC access, SPRITE SPIDER collects and filters out sensitive victim data and deploys its Defray777 ransomware.

In November 2020, SPRITE SPIDER launched a dedicated leak page (DLS) on the Tor Hidden service domain to publish non-ransom compliant victim files.

To compromise ESXi devices, SPRITE SPIDER attempts to gather credentials that can be used to authenticate the vCenter web interface.

SPRITE SPIDER uses PyXie's LaZagne module to restore vCenter credentials stored in web browsers and works with Mimikatz to steal credentials from the host memory.

After vCenter authentication, SPRITE SPIDER allows SSH to allow constant access to ESXi devices. In some cases, the adversary will also change the host account password or SSH keys.

CARBON SPIDER and Darkside Ransomware

Since 2016, CARBON SPIDER has traditionally targeted companies operating POS devices, with initial access gained through low-volume phishing campaigns against the sector.

CARBON SPIDER used various tailgates and rats to provide constant access. Tools for permanent access to the opponent's signature include the Sekur implant (aka Anunak), used since 2016, and the Harpy back door (aka Griffon), used from 2018 to 2020.

CARBON SPIDER is widely used in Cobalt Strike for lateral movement and open-source tools after an operation such as PowerSploit.

Similar to SPRITE SPIDER, CARBON SPIDER gained access to ESXi servers using valid credentials.

The adversary usually has access to these systems via the vCenter web interface, using legitimate qualifications, and logs in via SSH using the Plink ejection tool on Darkside.