Security company Kaspersky has published a free tool that allows victims of the Yanluowang ransomware encryption algorithm, which targets virtual machines, to recover their data. Yanluowang is part of a growing trend which has seen ransomware gangs targeting virtualisation as part of their attacks.
First spotted by researchers late last year, Yanluowang has been deployed against financial services organisations, as well as businesses in other sectors based mainly in the US, Brazil and Turkey. But a flaw in the ransomware’s encryption system has allowed Kaspersky‘s engineers to come up with a fix which can be downloaded here and helps victims decrypt information.
The Yanluowang ransomware “has the functionality to terminate virtual machines, processes and services,” Kaspersky’s research team warns. And the cybercriminals behind the malware are not the only threat actors targeting virtualisation as a potentially lucrative attack vector.
The rise of ransomware attacks on virtualisation platforms
Ransomware attacks on virtualisation platforms have risen over the past year, according to a new report from security company Mandiant. The company’s ‘Cyber Trends and Insight report’, released on Tuesday, says Mandiant’s team has noted a steady rise of attacks on virtualisation platforms throughout 2021.
“VMware, vSphere and ESXI [virtualisation] platforms are being targeted by multiple threat actors,” the report says, including those associated with prolific ransomware-as-a-service (RaaS) gangs Hive, Conti, BlackCat and DarkSide.
The report states that threat actors armed with compromised credentials will log in to VMware’s server management software vCenter to discover all the ESXi hosts used in that environment. The number of such hosts deployed by an individual business can run into the thousands. “The ESXi hosts are a ripe target for many actors,” the report says. “They need to log directly in to these servers to deploy ransomware, which impacts the availability of all virtualised hosts running on the server.”
In January, VMware was forced to release a patch to combat a vulnerability in its Workstation, Fusion, and ESXi, which could have been exploited by hackers.
Why is virtualisation a target for ransomware?
The shift away from on-premises systems to cloud-based virtual environments, exacerbated by the Covid-19 pandemic, has led ransomware gangs to see virtualisation platforms as an attractive target, says Jason Steer, global CISO at security company Recorded Future. “The last year was the first time we saw products from [cloud infrastructure vendors] Oracle and Citrix targeted by criminals,” he says.
RaaS gangs are increasingly selling their ability to target virtual environments on dark web marketplaces, Steer adds. “We’ve definitely seen that there is an increase in demand for ransomware tools that can work in virtual environments that two years ago didn’t exist,” he says. “This reflects a trend of not just focusing on Windows, but on Linux and virtualisation systems as well.”
Can you safeguard virtual environments from ransomware attacks?
Attacks on virtual infrastructure can be difficult to stop quickly, says David Mata SVP for global crisis management at security vendor Darktrace.
“This kind of ransomware targets the management plane of the virtualisation platform and we have seen virtual infrastructure being targeted as an attack vector, especially when this infrastructure is exposed directly to the internet,” Mata says. “This typically allows attackers to delay recovery and remediation by ensuring that back-ups, as well as other server management features, are made unavailable.”
But there are steps tech leaders can take to secure their virtual environments, Steer says. “We encourage clients to look for telltale signs of threat actor activity in systems prior to the ransomware button being hit and data being encrypted,” he says.
“There’s a huge amount of intelligence that’s out there around ‘living off the land tactics’ that threat actors use to collect all of this information about where servers are, where the users are and where the data is.”