Ransomware attacks targeting VMware ESXi and other virtual machine platforms are wreaking havoc among the enterprise, causing widespread disruption and loss of services.
Panera's
massive IT outage last month that took down internal systems, the website, mobile apps, and phones was
caused by a ransomware attack encrypting the company's virtual machines.
While the company has been able to restore servers from backups, it took almost a week for their systems to be restored.
Similarly, Omni Hotels
suffered a massive outage, which took down the company's reservation system, phones, and door lock system. The outage was so severe that guests had to contact a hotel employee to be let into their rooms, as key cards did not work.
Omni Hotels confirmed a few days later that
they suffered a cyberattack, with BleepingComputer learning that it was once again a ransomware attack encrypting the company's virtual machines. BleepingComputer has been told that Omni is restoring from backups as well.
This week, Chilean hosting provider
IxMetro Powerhost also disclosed a ransomware attack where the threat actors encrypted the hosting company's VMware ESXI servers. These servers powered customers' virtual private servers (VPS), also bringing their websites down.
Unfortunately, they were not as lucky as Panera and Omni Hotels, as the threat actors also encrypted the company's backups. The threat actors behind this attack, known as SEXi, demanded two bitcoins per customer to receive a decryptor.
While virtual machine platforms, like VMware ESXi, make it much easier for enterprises to manage resources and servers, they have also become a very tempting target for ransomware gangs.
As a company's servers are now centrally located as virtual machines, threat actors can simply encrypt a single VMware server to perform massive disruption to a company's operations.
Admins must tighten security on their virtual machine platforms by applying the latest security updates to VM software and the host operating systems, using administrative credentials different from those of the Windows domain, and applying tighter access controls.
Today, the Chilean government’s CSIRT
issued an advisory warning the enterprise to upgrade VMware software to the latest versions and offered advice on securing servers.
While attackers targeting virtual machines are
nothing new, this week's attacks continue to show that they are critical IT systems that needs to be properly secured to prevent disastrous outages.
