We have all known that we need to employ good security tactics with our VMware vSphere ESXi servers and ensure we do our diligence to keep these secure. However, the stakes get exponentially higher when you consider the danger of ESXi ransomware and what it has the potential to do. It seems it is getting more common to hear of ransomware gangs targeting ESXi servers as part of their heist, making total sense. Arguably most enterprise organizations today are using VMware vSphere to house their on-premises workloads. So, encrypting ESXi hosts is the “all eggs in one basket” scenario where you can get all of the business-critical workloads running in ESXi in one fell swoop. Let’s look at how to protect against Black Basta ESXi ransomware, a new ransomware variant seen recently.
What is Black Basta ESXi ransomware?
Black Basta is a new ransomware gang that quickly rose as a ransomware gang to watch in 2022. They are also a ransomware gang that goes after victims using the now-standard “double extortion” routine. In case you are not yet familiar with the double extortion scheme, attackers first extort victims for cryptocurrency to decrypt their data that has been encrypted by the ransomware process. Then, they also demand payment to prevent business-critical or sensitive data from being leaked to the dark web.
A new report from Uptycs Threat Research analysts has raised the alert that new Black Basta ransomware has been spotted that specifically targets VMware ESXi servers. In fact, many security sites and researchers suggest that the main reason many ransomware gangs are developing Linux ransomware is to compromise VMware ESXi server.
In the second week of April 2022, Black Basta ransomware was first spotted in the wild. It has since been ramping up its attacks on organizations worldwide, including attempts to compromise VMware ESXi servers.
According to Bleeping Computer the ransomware searches out the /vmfs/volumes folder where virtual machines are stored in VMware ESXi server datastores. It uses the ChaCha20 algorithm to encrypt data running in VMware ESXi. Virtual machine encrypted files will get the .basta extension appended to the datastore files.
Note a few of the posts describing the new Black Basta ransomware targeting VMware ESXi:
- Linux version of Black Basta ransomware targets VMware ESXi servers (bleepingcomputer.com)
- Linux version of Black Basta ransomware targets VMware ESXi servers | Vumetric Cyber Portal
- Linux version of Black Basta ransomware targets VMware ESXi servers | IT Security News
Protect against Black Basta ESXi ransomware
The first question that is going to go through the minds of most VI admins is how do I protect against Black Basta ESXi ransomware. While I have yet to see details on how previous victims have become infected with ESXi ransomware, it is safe to say that improper VMware ESXi security hygiene is not being implemented correctly in a lot of cases.
Let’s take a look at the following ways to protect against Black Basta ESXi ransomware:
- Segment your ESXi management network from your LAN
- Disable SSH access
- Do not use Active Directory authentication for admin-level access to VMware ESXi
- Use ESXi lockdown mode
- Enable execInstalledOnly with TPM-enabled hosts
- Patch your VMware ESXi hosts regularly
1. Segment your ESXi management network from your LAN
I will argue to say it is NEVER a good idea to have your ESXi management interfaces on the same network as your production LAN, especially where clients browsing the Internet are located. You are asking for trouble here. Often an Internet-connected client is the entry point for ransomware or the compromise where an attacker gets on the internal network and starts looking around. They may not launch a ransomware attack at this stage but instead start performing reconnaissance.
However, once they have your VMware ESXi in their sights and it is openly accessible from a network perspective, it is only a matter of time before they will be able to compromise your ESXI host. Segmenting your VMware ESXi management interface from the rest of the network is a fundamental step in securing your VMware vSphere infrastructure from compromise.
Read a couple of my relevant posts here:
- Change ESXi Management IP Address and VLAN on vSphere Distributed Switches VDS
- Change your vSphere Management Network now!
2. Disable SSH access
I have seen many environments where SSH access is left enabled 24x7x365 on business-critical ESXi hosts. While SSH is convenient and helpful in certain situations, you should only enable the SSH service on your VMware ESXi hosts when it is absolutely needed. Once you have completed using SSH on your ESXi hosts, you should stop the service.
Coupled with the management interface being on the same network as Internet-connected clients, having the SSH service enabled makes compromising a host much easier as there is now only a password that stands in between the attacker and owning your ESXi host.
3. Do not use Active Directory accounts for admin-level access to VMware ESXi
Another dangerous practice, in my honest opinion, is using Active Directory accounts for admin-level access to VMware ESXi. Active Directory accounts are one of the most targeted accounts in an enterprise environment. Users, including admins, often create passwords that may meet complexity requirements but are easily cracked or are leetspeak-type passwords that are easily guessed.
After all, we all think very similarly, including how we create passwords and character substitutions we come up with. Attackers know this and they can often guess what would be considered difficult passwords due to the characters they contain. However, again, they involve very common character substitutions.
Using a domain administrator Active Directory account delegated administrator access in VMware vCenter Server is a bad idea. If an attacker compromises your domain credentials or the credentials of a user that has been delegated administrator access within vSphere, it is game over.
Instead, created very strong “generated” passwords for named local accounts in VMware ESXi for access. Also, if you delegate Active Directory accounts with permissions in vSphere, be sure to configure two-factor authentication (2FA) for vCenter Server. Take a look at my post and video on how to configure this effectively:
4. Use ESXi Lockdown mode
Briefly, lockdown mode with ESXi helps to increase the security of your ESXi hosts. When an ESXi host is placed in lockdown mode, all operations must happen through vCenter Server. There are two modes for lockdown mode:
- Normal lockdown mode
- Strict lockdown mode
What is locked down with lockdown mode? When running in normal or strict lockdown mode, privileged users can access the ESXi host using vCenter Server, vSphere client, or using the vSphere web services SDK.
What about direct console access (DCUI)? When the host is in strict lockdown mode, the DCUI is disabled. In normal lockdown mode, accounts on the exception list can still access the DCUI if they are administrators. What about SSH and ESXi shell access? User accounts on the exception list can still access these services. For all other users, these services are disabled. Access in lockdown mode is also logged for audit purposes.
Enabling Lockdown mode is as simple as the following steps:
- Click Settings for an ESXi host in inventory
- Under System, select Security Profile
- In the Lockdown mode panel, select Edit
- Click Lockdown Mode and select either Normal or Strict lockdown mode
5. Enable execInstalledOnly with TPM-enabled hosts
With execInstalledOnly enforcement, you can enforce that ESXi can only run VMkernel VIBs signed by VMware. VIBs are the specialized ESXi software packages that allow you to install software, updates, etc., on your ESXi host.
The execInstalledOnly security enforcement prevents running any code on your ESXi host other than signed VIBs. This greatly reduces the chance that malware will be allowed to run on your VMware ESXi host.
The execInstalledOnly setting can be enabled in the advanced settings of your ESXi host and is a simple True or False toggle.
6. Patch your VMware ESXi hosts regularly
Another way to protect your VMware ESXi hosts is to make sure you regularly apply security patches to your hosts. Having very old and unpatched releases of VMware ESXi increases the likelihood that your VMware ESXi host will be compromised.
Have a regular patch schedule and stick to this to keep your hosts patched with the current and supported releases. Keep an eye out on the Advisories (vmware.com) website and subscribe to their alerts to stay informed of any new threats or discovered vulnerabilities.
Enterprise backups are still needed
The last thing you want to do is restore your data, which means the bad guys were successful. However, the last thing you also want to happen is not to have good backups of your mission-critical data if recovery is the only option. This would be disastrous as it would mean the only choice you have to get your data back is to pay the bad guys.
Using a capable enterprise backup solution like NAKIVO Backup & Replication is a great way to have the capabilities and tools needed to effectively protect your data and recover your data from various types of disaster, including ransomware.
Modern backup solutions like NAKIVO also provide many of the mechanisms you want to see in a backup solution, such as immutable backups that prevent changes or modifications before a certain period. This is critical as modern ransomware often seeks out your backups to ensure they encrypt these to eliminate any chance of recovering your data.
NAKIVO also offers multi-factor authentication to access your backup console and other great features like Backup copy jobs, replication jobs, and site recovery orchestration to help orchestrate recovering your data in a completely different site if you lose a site due to ransomware or any other disaster. It also helps your business align with the 3-2-1 backup best practice methodology.
Check out NAKIVO here where you can download a free trial of the software to try it out yourself:
Protect against ESXi ransomware FAQs
- Can VMware ESXi be affected by ransomware? The short answer is yes. Many ransomware gangs today see the tremendous value in attacking VMware ESXi. The ESXi hypervisor often runs business-critical workloads in enterprise private cloud data centers. By encrypting an ESXi host, attackers can essentially hold hostage all the business-critical servers running in ESXi.
- What is Black Basta ransomware? It is ransomware developed by a new ransomware gang that has come onto the scene since April 2022. They are quickly gaining momentum regarding attacks and the scope of infections. VI admins must Protect against Black Basta ESXi ransomware at all costs.
- How do you protect VMware ESXi from ransomware? Like any type of security, protecting VMware ESXi is a multi-pronged approach requiring many security layers. You don’t want to rely on any single layer for full protection. It comes down to implementing best practices in the environment. These include segmenting your ESXi management interfaces from your production LAN, disabling unneeded services like SSH when these are not needed, enabling lockdown mode, and using configuration settings like execInstalledOnly.
Video covering how to Protect VMware ESXi from Ransomware
Wrapping Up
Ransomware is a huge problem today, and it doesn’t just target Windows systems. As discussed in this post on how to Protect against Black Basta ESXi ransomware, more ransomware gangs are going after VMware ESXi as it is a great target to capture most if not all of your business-critical workloads in one fell swoop. Follow the best practice security guidelines for protecting your ESXi hosts, and make sure you give it your due diligence without letting your guard down.
