Last updated on Tuesday 16th of November 2021 08:30:50 PM

Protect ©ESXi VMs from ransomware

Keep your VMs safe from ransomware by keeping a high number of restore points

Ransomware malware is growing rapidly and destroying the enterprise data at the cost of a ransom to be able to decrypt it. Specialized journalists claim that this is one of the biggest illegal activities nowadays by income grow.

Every day the news tell about some new big enterprise or government affected by this disease. Nobody recognized to pay the extortion, nonetheless, unofficially the leaked news tell about a different story.

Ransomware consists in encrypting the data of an institution, enterprise or individual by employing a malware binary. The way it gets into your enterprise is generally through the e-mail inbox, disguising itself as some parcel service delivery note, some zipped document from your bank, or some order from a client.

Selling ESXi root access Some years ago they were poorly designed and the encryption could even be reversed by employing advanced forensic tools. Nowadays things have changed and they employ deep encryption keys, making it impossible to revert it. Thus, you'd better make sure that you are prepared, in the event that somebody in your office bites the bait.

Can you imagine what could be for your enterprise to loose all of its data?, are you sure you have a recent backup ready to be restored rapidly?

Until very recently ransomware was designed to be executed on Windows platforms, but criminals know very well that nowadays the number of desktops that have been virtualized is very high. They are starting to target virtualization platforms like ©ESXi. Recently, ransomware for ©ESXi, exploting some of the vulnerabilities of this Hypervisor OS has been detected.

This new form of malware will try to encrypt your virtual disks. If you backup to some local datastore, your chances that your backup copies are encrypted too are high. Our ©VMWare ©ESXi backup software allows to backup over IP/SSH adding an extra layer of protection, as malware is executed locally.

There are different ways to minimize the possibility of a successful ransomware attack in different platforms, let's revise them:

Use a good and recent antivirus software

You should be specially concerned if you are a ©MS Windows desktop user. Guess what, cybercriminals work on statistical possibilities. Most viruses and malware is designed for Windows desktops.

Linux and Mac OS users are more safe, still, the chances that you are affected by some ransomware episode is also high, in this case due to the probably excesive confidence you have in being safe.

And overall, please do make sure that your AV software is updating itself.

Design your systems to be resilient to infections

Devise systems that difficult an eventual infection from propagating through your network shares. Forcing users to enter their password on network shares might make you even more unpopular than you are now, still it's for the common good.

Keep your databases: ERP, CRM, Accounting, etc... in isolated servers not sharing any folder with destop users. I know this is not easy in an SME with reduced budget, still ©ESXi is still free to use as a basic hypervisor. You have other mature platforms out there. Take the time to learn and use a virtualization platform for your servers, so that you can isolate them in a more convenient way. And of course back them up every day and make sure that the copies are in a safe place.

Ransomware affecting virtualization platforms

Malware affecting other type of more specialized OSs, like virtualization hypervisors, is still rare, it will grow rapidly, you can bet it. Try to think ahead, devise strategies to keep your data protected, like backing up over IP. Reduce oermissions on the folders where you have your SSL keys to the bare minimum, like 0400. This will allow your backup software to use them to athenticate against remote servers, but will reduce the chances some malware encrypts them.

Grab your keys from a remote SSH server by using another key. I know this sounds a bit crazy, it's easy to implement and no ransomware programmer will try to target eccentric geeks, remember they depend on the Gaussian distribution to make money.

We will cover this technique in a different post.

Well, as you can see, there are a number of ways to increase your level of protection against the bad guys. The most fundamental one: don't do the same as the rest. Users will sooner or later click on some ransomware binary, it's just a matter of time. Rare is the day I don't receive 10 to 20 e-mails with such content. My AV is not able to detect them all, maybe just one third, and I use one of the best.