Latest update


Protect against Black Basta ESXi ransomware

We have all known that we need to employ good security tactics with our VMware vSphere ESXi servers and ensure we do our diligence to keep these secure. However, the stakes get exponentially higher when you consider the danger of ESXi ransomware and what it has the potential to do. It seems it is getting more common to hear of ransomware gangs targeting ESXi servers as part of their heist, making total sense. Arguably most enterprise organizations today are using VMware vSphere to house their on-premises workloads. So, encrypting ESXi hosts is the “all eggs in one basket” scenario where you can get all of the business-critical workloads running in ESXi in one fell swoop. Let’s look at how to protect against Black Basta ESXi ransomware, a new ransomware variant seen recently.

What is Black Basta ESXi ransomware?

Black Basta is a new ransomware gang that quickly rose as a ransomware gang to watch in 2022. They are also a ransomware gang that goes after victims using the now-standard “double extortion” routine. In case you are not yet familiar with the double extortion scheme, attackers first extort victims for cryptocurrency to decrypt their data that has been encrypted by the ransomware process. Then, they also demand payment to prevent business-critical or sensitive data from being leaked to the dark web.

A new report from Uptycs Threat Research analysts has raised the alert that new Black Basta ransomware has been spotted that specifically targets VMware ESXi servers. In fact, many security sites and researchers suggest that the main reason many ransomware gangs are developing Linux ransomware is to compromise VMware ESXi server.

In the second week of April 2022, Black Basta ransomware was first spotted in the wild. It has since been ramping up its attacks on organizations worldwide, including attempts to compromise VMware ESXi servers.

According to Bleeping Computer the ransomware searches out the /vmfs/volumes folder where virtual machines are stored in VMware ESXi server datastores. It uses the ChaCha20 algorithm to encrypt data running in VMware ESXi. Virtual machine encrypted files will get the .basta extension appended to the datastore files.

Note a few of the posts describing the new Black Basta ransomware targeting VMware ESXi:

Protect against Black Basta ESXi ransomware

The first question that is going to go through the minds of most VI admins is how do I protect against Black Basta ESXi ransomware. While I have yet to see details on how previous victims have become infected with ESXi ransomware, it is safe to say that improper VMware ESXi security hygiene is not being implemented correctly in a lot of cases.

Let’s take a look at the following ways to protect against Black Basta ESXi ransomware:

  1. Segment your ESXi management network from your LAN
  2. Disable SSH access
  3. Do not use Active Directory authentication for admin-level access to VMware ESXi
  4. Use ESXi lockdown mode
  5. Enable execInstalledOnly with TPM-enabled hosts
  6. Patch your VMware ESXi hosts regularly

1. Segment your ESXi management network from your LAN

I will argue to say it is NEVER a good idea to have your ESXi management interfaces on the same network as your production LAN, especially where clients browsing the Internet are located. You are asking for trouble here. Often an Internet-connected client is the entry point for ransomware or the compromise where an attacker gets on the internal network and starts looking around. They may not launch a ransomware attack at this stage but instead start performing reconnaissance.

However, once they have your VMware ESXi in their sights and it is openly accessible from a network perspective, it is only a matter of time before they will be able to compromise your ESXI host. Segmenting your VMware ESXi management interface from the rest of the network is a fundamental step in securing your VMware vSphere infrastructure from compromise.

2. Disable SSH access

I have seen many environments where SSH access is left enabled 24x7x365 on business-critical ESXi hosts. While SSH is convenient and helpful in certain situations, you should only enable the SSH service on your VMware ESXi hosts when it is absolutely needed. Once you have completed using SSH on your ESXi hosts, you should stop the service.

Viewing the state of the SSH service for an ESXi host
                    Viewing the state of the SSH service for an ESXi host

Coupled with the management interface being on the same network as Internet-connected clients, having the SSH service enabled makes compromising a host much easier as there is now only a password that stands in between the attacker and owning your ESXi host.

3. Do not use Active Directory accounts for admin-level access to VMware ESXi

Another dangerous practice, in my honest opinion, is using Active Directory accounts for admin-level access to VMware ESXi. Active Directory accounts are one of the most targeted accounts in an enterprise environment. Users, including admins, often create passwords that may meet complexity requirements but are easily cracked or are leetspeak-type passwords that are easily guessed.

After all, we all think very similarly, including how we create passwords and character substitutions we come up with. Attackers know this and they can often guess what would be considered difficult passwords due to the characters they contain. However, again, they involve very common character substitutions.

Using a domain administrator Active Directory account delegated administrator access in VMware vCenter Server is a bad idea. If an attacker compromises your domain credentials or the credentials of a user that has been delegated administrator access within vSphere, it is game over.

Instead, created very strong “generated” passwords for named local accounts in VMware ESXi for access. Also, if you delegate Active Directory accounts with permissions in vSphere, be sure to configure two-factor authentication (2FA) for vCenter Server. 

4. Use ESXi Lockdown mode

Briefly, lockdown mode with ESXi helps to increase the security of your ESXi hosts. When an ESXi host is placed in lockdown mode, all operations must happen through vCenter Server. There are two modes for lockdown mode:

  • Normal lockdown mode
  • Strict lockdown mode

What is locked down with lockdown mode? When running in normal or strict lockdown mode, privileged users can access the ESXi host using vCenter Server, vSphere client, or using the vSphere web services SDK.

What about direct console access (DCUI)? When the host is in strict lockdown mode, the DCUI is disabled. In normal lockdown mode, accounts on the exception list can still access the DCUI if they are administrators. What about SSH and ESXi shell access? User accounts on the exception list can still access these services. For all other users, these services are disabled. Access in lockdown mode is also logged for audit purposes.

Post a Comment