Securing Your vSphere Environment from Ransomware Part 1: It’s Worse Than You Think

TL;DR – Jump down to the Action Items: Where to Start section.

I am averse to clickbait titles but I am pulling out all the stops with this one. I am also usually averse to fear mongering, but this topic warrants it.

My disclaimer here is that this post is not intended to include every possible ransomware scenario or countermeasure. Protecting your organization from Ransomware is a team effort, so file this blog post under the phrase, “Including But Not Limited To . . .”

What follows here is meant to ease you into the topic of Ransomware, with some initial advice about where to start. In Part 2, I will get more technical about how to implement some of the items recommended to decrease the chances a Ransomware attack on your organization will be successful.

The Scary Part

Ransomware can make its way onto a Desktop machine, file share location, or Guest OS. Sure. Most of us know this.

But did you know that there are at least 3 Ransomware exploits that target ESXi directly and specifically?

And did you know that these exploits can take control of your ESXi hosts and encrypt the datastore(s) making the VMs stored there useless and inaccessible.

And did you know that these exploits will self-replicate and jump from ESXi host to ESXi host while locking you out altogether, which could bring down your entire virtual infrastructure, vCenter and all?

You Have My Attention

This, among other things, keeps me up at night.

Why . . . So . . . Serious?

In a previous life, I was a VMware Engineer for a company that provided IaaS for Hospitals. One of the Hospitals was hit with Ransomware and there was no plan for recovery. We spent almost two weeks straight, through multiple shifts . . . overtime . . . getting everything back online.

I am not sure how much money that actually cost all parties involved, but I am sure it wasn’t cheap.

Maybe I have some bias here, but I have always thought that having some paranoia about security and in this case ransomware, is a healthy thing.

I am erring on the side of caution on this one and I hope you will go along with me and keep reading.

Don’t Expect Any Magic Answers

At my organization, we started by interrogating vendors about their recommended best practices for battling Ransomware. I am not really sure what we expected, but most of them had three answers:

  1. Protect your stuff.
  2. Patch your stuff.
  3. Backup your stuff.

Thank you Captain Obvious!

On one hand, I get it. There are no magic answers. On the other hand, they’re also kind of wrong:

The more sophisticated ransomware attacks are logic bombs. Some of them lie dormant for a time, possibly weeks, which will then cause your backups to also be infected, therefore when you say, “Oh it’s cool, we’ll just restore the backup from last night,” you’d just be restoring something that will simply get re-encrypted once its time is updated.

Let’s also not forget that ransomware self-replicates and attempts to encrypt everything in its path. It will also attempt to encrypt backups as well. More on that later.

Action Items: Where to Start

Some of what follows here is taken from my own experiences, but most of it is taken from a great resource: The VMware Ransomware Resource Center, and I highly recommend you read every word, especially if you don’t know where to start. What follows here is also extremely abbreviated. This is meant to act as a starting point:

  1. Don’t be afraid to be the alarmist. It’s OK to be that person. Screw the haters.
  2. If you think it won’t happen to you because your company is, “down with all the kewl kids” so you’re, “not a target,” . . . think again. I just described a situation where attackers were perfectly OK with ransoming a Hospital, you know, where children are dying of cancer . . . . CANCER I TELL YOU!
  3. On that note, assume that an attack will happen to your organization.
  4. Have a plan to restore the environment without having to pay the ransom. Do not pay the ransom. First of all, many times the decryption they give you either doesn’t work, or simply re-installs another ransomware attack. Second of all many, “cybercriminal gangs” (VMware’s words, not mine) will share the vulnerabilities they found with other, “cybercriminal gangs” and the cycle will repeat.
  5. Patch, patch, patch. Automate your patching to patch things when they need to be patched.
  6. Patch early, patch often.
  7. Research the best types of antivirus that will ensure protection against the latest-known ransomware attacks.
  8. Educate users about ransomware.
  9. Have a documented plan in place and ensure everyone knows it.
  10. Inventory all resources and document them all in a DCIM, preferably in an automated way.
  11. Audit those resources regularly.
  12. Evaluate and consider settings for your ESXi hosts recommended in the vSphere Security Configuration Guide.
  13. Use automated configuration management to ensure your ESXi hosts in particular do not drift into unsecure settings . . . you know, like SSH being turned on.
  14. Use MFA where ever you can.
  15. Implement random passwords that rotate on a regular interval. This can be done with Hashicorp Vault and PowerCLI (more on that in Part 2) or CyberArk.
  16. Follow the principle of least privilege.
  17. Use Defense in Depth.
  18. Backups should be stored in a separate, siloed location, highly protected (MFA, etc.) and inaccessible by the possibly compromised resources at large.
  19. Furthermore, attempt to have a backup utility that is ransomware-aware (more on this in Part 2).

I will close out with an acronym and a cool graphic because I need something as the thumbnail for this post. This is from Practical Ideas for Ransomware Prevention on VMware’s Ransomware Resources site:

  1. Identify
  2. Prevent
  3. Detect
  4. Respond
  5. Recover

. . . And the cool graphic . . . It’s pretty:

Taken from here:

Stay tuned for Part 2, where I give some tips on how to implement some of the above. I hope I didn’t scare you too bad.

On the other hand, a little fear might be a healthy thing in this case.

Questions? Hit me up on twitter @RussianLitGuy or email me at I would love to hear from you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s