Skip to main content

Ransomware targeting virtualization platforms is on the rise, Mandiant says

Image Credit: Getty Images

Join us in Atlanta on April 10th and explore the landscape of security workforce. We will explore the vision, benefits, and use cases of AI for security teams. Request an invite here.


Mandiant has observed a “significant increase” in the number of incidents involving a ransomware attack targeted against virtualization infrastructure, an expert at the cybersecurity firm told VentureBeat.

The increase has come over the past six to 12 months, and represents an adjustment of threat actor tactics —enabling them to “more rapidly and efficiently encrypt a large number of hosts,” said Greg Blaum, a principal consultant at Mandiant.

On Tuesday, Mandiant released M-Trends 2022, the firm’s 13th annual threat report. Among the major findings is that Mandiant has observed ransomware-focused threat actors “increasingly targeting virtualization infrastructure,” the firm disclosed in the M-Trends 2022 report.

While a traditional ransomware attack requires deploying the malicious payload across multiple hosts in a victim’s environment, an attack on virtualization infrastructure can potentially infect hundreds of virtual machines at once. With this variety of attack, “hitting one machine is much more effective,” Blaum said.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

Mandiant reports that it observed a number of ransomware groups targeting VMware vSphere and ESXi platforms during 2021. The attackers included threat actors that’ve been associated with Conti, Hive, DarkSide and Blackcat, according to the firm.

In this type of attack, the threat actors have utilized compromised credentials to access VMware’s vCenter Server management software, Mandiant says. The attackers then use vCenter to discover all ESXi hosts that are being used in the victim’s environment, according to Mandiant.

While traditionally an on-premise virtualization platform, a number of cloud providers will also host this type of virtualization infrastructure for clients.

Mitigations

In terms of mitigations for this type of attack, the most effective is network segmentation, Blaum said. This entails placing the management software used with the virtualization infrastructure on an isolated network, or VLAN.

“If there are no network routes to get to the management infrastructure, it’s going to be really difficult for an attacker to exploit it,” Blaum said.

The use of a privileged access management (PAM) solution would also be helpful in blocking this type of attack, he said.

Ultimately, ransomware attacks against virtualization infrastructure are expected to remain an issue, Blaum said.

“Because the use of the virtualization infrastructure is so pervasive, and the fact that attackers can quickly and easily encrypt large numbers of hosts, we see this trend continuing the future,” he said.

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.