View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Virtualisation platforms becoming a top target for ransomware gangs

Yanluowang is one of a growing number of ransomware programmes capable of targeting virtual environments.

By Claudia Glover

Security company Kaspersky has published a free tool that allows victims of the Yanluowang ransomware encryption algorithm, which targets virtual machines, to recover their data. Yanluowang is part of a growing trend which has seen ransomware gangs targeting virtualisation as part of their attacks.

Virtualisation platforms like VMware are increasingly targets for ransomware gangs. (Photo Illustration by Pavlo Gonchar/SOPA Images/LightRocket via Getty Images)

First spotted by researchers late last year, Yanluowang has been deployed against financial services organisations, as well as businesses in other sectors based mainly in the US, Brazil and Turkey. But a flaw in the ransomware’s encryption system has allowed Kaspersky‘s engineers to come up with a fix which can be downloaded here and helps victims decrypt information.

The Yanluowang ransomware “has the functionality to terminate virtual machines, processes and services,” Kaspersky’s research team warns. And the cybercriminals behind the malware are not the only threat actors targeting virtualisation as a potentially lucrative attack vector.

The rise of ransomware attacks on virtualisation platforms

Ransomware attacks on virtualisation platforms have risen over the past year, according to a new report from security company Mandiant. The company’s ‘Cyber Trends and Insight report’, released on Tuesday, says Mandiant’s team has noted a steady rise of attacks on virtualisation platforms throughout 2021.

VMware, vSphere and ESXI [virtualisation] platforms are being targeted by multiple threat actors,” the report says, including those associated with prolific ransomware-as-a-service (RaaS) gangs Hive, Conti, BlackCat and DarkSide. 

The report states that threat actors armed with compromised credentials will log in to VMware’s server management software vCenter to discover all the ESXi hosts used in that environment. The number of such hosts deployed by an individual business can run into the thousands. “The ESXi hosts are a ripe target for many actors,” the report says. “They need to log directly in to these servers to deploy ransomware, which impacts the availability of all virtualised hosts running on the server.”

In January, VMware was forced to release a patch to combat a vulnerability in its Workstation, Fusion, and ESXi, which could have been exploited by hackers.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Why is virtualisation a target for ransomware?

The shift away from on-premises systems to cloud-based virtual environments, exacerbated by the Covid-19 pandemic, has led ransomware gangs to see virtualisation platforms as an attractive target, says Jason Steer, global CISO at security company Recorded Future. “The last year was the first time we saw products from [cloud infrastructure vendors] Oracle and Citrix targeted by criminals,” he says.

RaaS gangs are increasingly selling their ability to target virtual environments on dark web marketplaces, Steer adds. “We’ve definitely seen that there is an increase in demand for ransomware tools that can work in virtual environments that two years ago didn’t exist,” he says. “This reflects a trend of not just focusing on Windows, but on Linux and virtualisation systems as well.”

Can you safeguard virtual environments from ransomware attacks?

Attacks on virtual infrastructure can be difficult to stop quickly, says David Mata SVP for global crisis management at security vendor Darktrace.

“This kind of ransomware targets the management plane of the virtualisation platform and we have seen virtual infrastructure being targeted as an attack vector, especially when this infrastructure is exposed directly to the internet,” Mata says. “This typically allows attackers to delay recovery and remediation by ensuring that back-ups, as well as other server management features, are made unavailable.”

But there are steps tech leaders can take to secure their virtual environments, Steer says. “We encourage clients to look for telltale signs of threat actor activity in systems prior to the ransomware button being hit and data being encrypted,” he says.

“There’s a huge amount of intelligence that’s out there around ‘living off the land tactics’ that threat actors use to collect all of this information about where servers are, where the users are and where the data is.”

Read more: Panasonic confirms cyberattack after Conti leaks data

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.