Analysis
The advent of the MichaelKors ransomware-as-a-service (RaaS), which targets Linux and VMware ESXi systems, underlines the rising attention that hackers are giving to virtualized technology. Due to its widespread use and security flaws, VMware ESXi has become a desirable target because it does not support third-party agents or antivirus software. Attackers use known vulnerabilities, privilege escalation, and credentials that have been compromised to take over ESXi hypervisors. Ransomware-based hypervisor jackpotting, which amplifies assaults, is on the rise.
Babuk source code that was stolen has been used by several ransomware families to create lockers tailored to ESXi. ESXi is a desirable target due to its direct execution on real servers, which puts virtual machine encryption at risk and might result in data loss. Access controls, two-factor authentication, backups, security upgrades, and proactive vulnerability management are all strategies that organisations should put into place.
Prevention
- Keep software updated to patch vulnerabilities.
- Deploy advanced endpoint protection to detect and block ransomware.
- Implement network segmentation to contain the spread.
- Practice the principle of least privilege to limit access.
- Educate employees about phishing and suspicious content.
- Enable multi-factor authentication for added security.
- Develop an effective incident response plan.
- Regularly back up critical data offline or in separate locations.
Detection
- Use behavior-based security tools.
- Monitor network traffic for anomalies.
- Employ intrusion detection/prevention systems.
- Implement endpoint monitoring.
- Utilize security information and event management (SIEM).
Indicators of Compromise (IOCs)
- File Extensions: Look for encrypted files with unusual file extensions appended to them, such as .michaelkors, .locked, or random alphanumeric extensions.
- Ransom Note Files: Look for text files or HTML files dropped in directories containing encrypted files. These files typically provide instructions on how to pay the ransom and recover the files.
- Network Connections: Monitor network traffic for connections to known command-and-control (C2) servers or suspicious IP addresses associated with MichaelKors ransomware infrastructure.
- File Hashes: Compare file hashes of known malicious samples associated with MichaelKors ransomware against the files in your environment. These hashes can be obtained from threat intelligence feeds or security researchers.
- Registry Modifications: Check for unauthorized modifications to Windows registry keys related to system startup or encryption mechanisms. Ransomware often makes these changes to ensure persistence and control over the infected system.
- Malicious Processes: Monitor for the presence of unusual or suspicious processes running on endpoints or servers. Ransomware typically operates as a malicious process to encrypt files and carry out its activities.
- Unusual File Access Patterns: Look for a sudden surge in file read and write operations, particularly in user directories, as ransomware encrypts files and creates encrypted copies.
- Unusual System Behavior: Monitor for abnormal system behavior, such as frequent system crashes, unresponsive applications, or unusual CPU and memory usage, which may indicate ransomware activity.
References
The hacker news
