Caution! VMware, the next target of ransomware attacks

On Mar.15, a VMware vSphere user posted a blog saying that besides massive Windows desktop PC and laptop files being encrypted in the company, a large number of their VMs were also maliciously shut down and unavailable to connect, which caused a serious breakdown of production environment. After error detection, they found out that their VMs were also attacked by ransomware virus, and they took a whole day only to restore about 80% of their business. The incident has aroused widespread concern in the industry.

Generally, ransomware is difficult to infect across different operating systems. For example, the notorious WannaCry can only encrypt Windows by exploiting system bugs. However, this time it succeeds to attack both Windows and VMs, and virtualization users should raise alert to take cautions of it.

The blogger stressed that in the attacked VMs, vCenter is the only available appliance in the VMware vSphere cluster. In the ESXI Datastore, VM disk file .vmdk and VM description file .vmx are renamed. If open the .vmx file manually, users will also find out that it’s encrypted, while description file generated by the ransomware appears in the VMware vm-support log collection.

ransomware-generated description file in ESXi vm-support log collection

In order to solve this, the blogger also carried forward several solutions.

1. Since customers have deployed daily snapshots, after the rebuilding of VMware vSphere host, they can create new LUN through storage LUN snapshots and mount it to ESXi, and registry VMs manually to restart VMs to verify the data loss and restore business step by step.

2. VMware VMs stored on local disks cannot be restored by snapshots but through full VM restore by using data in the backup environment.

3. VMs which haven’t been deployed any snapshot or backup can only be rebuilt without legacy data.

4. Upgrading the VM environment.

With computer virtualization rapidly developing, it has become a trend for both public and private cloud data center deployment. And since the VMware vSphere owns the largest market share within virtualization platform industry, it naturally becomes the main target of ransomware.

Last VMware vSphere ransomware attack aims at system bugs occurred in February this year. The hacker team used the "RansomExx" virus to encrypt files in the virtual hard disk by exploiting the bugs of VMWare ESXi (CVE-2019-5544, CVE-2020-3992), causing devastating results for enterprises.

RansomExx being detected out (source:Kaspersky)

Such incidents indicate that ransomware has begun to target at VMware vSphere users, and wait for the right time to carry out a large-scale attack. And as we can see from the solutions above, disaster recovery is the most effective choice to fully guarantee data security.

Vinchin has provided data protection for over 1.6 million VMs around the world, of which VMware users account for about 70%, with mature and stable VMware VM backup and recovery solutions.  

How can we deploy backup and DR jobs on point for critical VMs by taking full advantage of Vinchin Backup & Recovery?

• Agentless backup

Back up the entire VMware vSphere environment agentlessly, reducing 10x or even 100x times of maintenance cost for users.

• Flexible backup strategies

Deploy multiple smart backups including full, incremental, or differential backup daily, weekly, or monthly on demand, customize your own optimal backup plan, taking actions ahead of ransomware attacks to ensure high data availability.

• Offsite DR center-duple data protection

Besides local data backup, Vinchin also helps users to build offsite DR center. In case ransomware attack occurs in the local production system, the service can still be taken over offsite, minimizing the RTOs in 15 seconds.

• Data archive-benefit from 3-2-1 rule

Strictly following the 3-2-1 rule, Vinchin also provides users local and cloud archive features to efficiently organize and save important backed-up data, and realize long-term data saving. Even both local and offsite backup system are attacked, users still have Plan C to restore data, minimizing data loss.

Learned from the incident, we also make some anti-ransomware suggestions for VM users.

1. Scheduled data backup is essential. It is recommended to have multiple backup data stored in different media or regions. Backup is often the only life-saving straw after a disaster. 

2. Storage-level redundancy is also necessary. Technologies like storage snapshots, replication, clone etc., can help to achieve fast backup and restore, and highly prompt the process of rapid business recovery.

3. Pay more attention to virtualization vendors' security announcements, and timely upgrade the software and hardware in the existing environment.

This time, the hackers have opened the door of deploying attacks on VMs with ransomware target at VMware vSphere, which once again reminds us the importance of data backup.