How to Protect VMware ESXi Vulnerabilities Against Ransomware

Ransomware attacks are one of the easiest and most lucrative cyberattacks to deploy, which is why they are so popular among threat actors. 

Protecting end-user computers is easy enough. Don’t give them admin privileges and enforce proper backup strategies. But what about your servers? Are they safe? Since servers are virtualized on ESXi, do you need to worry about them getting seized by ransomware?

Yes, you do. 

VMware’s ESXi isn’t safe from attackers. ESX has been the standard virtualization environment in businesses for more than two decades, and attackers have spent a lot of time and resources trying to crack it. 

How Does a Ransomware Attack Work on ESXi Vulnerabilities?

Believe it or not, ransomware attacks on ESXi servers aren’t 733t. As silly as that “leet” lingo is, ransomware attacks are most commonly deployed by script kiddies and novices. Here’s how the VM ransomware attack chain typically occurs:

• Step 1: Attack the fences. Humans are usually the weakest link in the security chain, either falling for empathy attacks or configuring security settings in silly ways. Hackers use social engineering attacks, typically phishing emails, to access the system. 

• Step 2: Replicate like crazy. Once a phishing email infects an unsuspecting user’s device, it spreads through the network. The software installed from the phishing email is designed to seek out unpatched vulnerabilities and insecure configurations.

• Step 3: Attack the thermal exhaust port. Eventually, the malware lands on the servers hosting the VMware management software. It locates the vDisks for ESXi, and uses ESXi vulnerabilities and other attack patterns to encrypt the disks. 

Making matters worse, many VMware ESXi guest operating systems can survive the encryption process until reboot. Those files are already loaded into memory, so the VM can continue chugging. Routine backups could potentially capture the encrypted vDisk overwriting the older, valid backup copies. If the ransomware attack isn’t prevented or discovered quickly, businesses could lose everything. 

How Do You Prevent Ransomware Attacks on ESXi and Other Virtualized Environments?

Businesses can’t run on air-gapped systems, and we need to give employees laptops to work. So, how do you prevent your VMware ESXi hypervisor or other virtualized environments from being attacked by ransomware?

• Perform versioned backups for vDisks. Backups don’t prevent ransomware attacks, but they do allow you to recover from them. You should always assume that your IT services are under attack, and that an attacker will eventually break through your defenses. If you perform versioned backups, when some of your backups get encrypted, you can recover something, even if your data is a few days old. 

• Segregate management applications. VMware ESXi, Hyper-V and other virtualization environments must be managed from interfaces and management systems. Don’t put these management systems on the same VLAN as your other IT systems. One of the benefits of using VLANS is that you can control how and where network traffic can enter or exit it. It’s a lot easier to prevent ransomware attacks if the malware can’t reach out. Another benefit is locking down the VLAN that hosts your Vsphere management apps. Applying ACLs narrows the attack vector that ransomware can use.

• Don’t attach vSphere to Active Directory (AD). AD typically makes systems administrators’ lives much easier because it can help roll out updates, assign security policies and more. However, ransomware can attempt to use AD to locate VMware ESXi management applications on the network. If the ransomware can’t find the virtualization environments in AD, it must work much harder to find them. That gives network operators and systems administrators more time to discover and remediate their services. 

• Stop reusing passwords. Always use long, complex passwords, and don’t share passwords with others. Don’t email passwords to team members either. 

• Update. Systems often get out of date because organizations worry that if they update critical systems, the systems won’t turn back on. Paranoia will be your death nail. Most successful ransomware attacks occur because systems are not patched, so always apply security patches. 

Ready to learn more?

CBT Nuggets offers a range of courses to boost your VMware knowledge. If this is your first time deploying or managing ESXi systems, take this course to learn how to deploy an ESXi host. You’ll discover the ins and outs of properly configuring and securing ESXi before it’s production heavy. Or become a virtualization expert with our VMware training. 

Not a CBT Nuggets subscriber? Sign up for a one-week no-strings-attached trial to explore these courses and others.