eCommerce News New Zealand logo
The latest digital commerce news for Kiwi businesses
Story image

New sniper-like Python ransomware uncovered

By Shannon Williams
Fri 8 Oct 2021

A new Python ransomware has been uncovered by next-gen cybersecurity firm Sophos.

Sophos has released details of the new ransomware, written in Python, that attackers used to compromise and encrypt virtual machines hosted on an ESXi hypervisor. The report, Python Ransomware Script Targets ESXi Server for Encryption, details a sniper-like operation that took less than three hours to progress from breach to encryption.

"This is one of the fastest ransomware attacks Sophos has ever investigated and it appeared to precision-target the ESXi platform," says Andrew Brandt, principal researcher at Sophos. 

"Python is a coding language not commonly used for ransomware. However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems," he explains.

"ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at once, where each of the virtual machines could be running business-critical applications or services. Attacks on hypervisors can be both fast and highly disruptive. Ransomware operators including DarkSide and REvil have targeted ESXi servers in attacks."

Attack Timeline

The Sophos investigation revealed that the attack began at 12:30 a.m. on a Sunday, when the ransomware operators broke into a TeamViewer account running on a computer that belonged to a user who also had domain administrator access credentials.

According to the investigators, 10 minutes later, the attackers used the Advanced IP Scanner tool to look for targets on the network. The investigators believe the ESXi Server on the network was vulnerable because it had an active Shell, a programming interface that IT teams use for commands and updates. This allowed the attackers to install a secure network communications tool called Bitvise on the machine belonging to the domain administrator, which gave them remote access to the ESXi system, including the virtual disk files used by the virtual machines. At around 3:40 a.m., the attackers deployed the ransomware and encrypted these virtual hard drives hosted on the ESXi server.

Security Advice

"Administrators who operate ESXi or other hypervisors on their networks should follow security best practices. This includes using unique, difficult to brute-force passwords and enforcing the use of multi-factor authentication wherever possible," says Brandt.

"The ESXi Shell can and should be disabled whenever it is not being used by staff for routine maintenance, for instance, during the installation of patches. The IT team can do this by either using controls on the server console or through the software management tools provided by the vendor."
 
Sophos endpoint products, such Intercept X, protect users by detecting the actions and behaviours of ransomware and other attacks. The act of attempting to encrypt files is blocked by the CryptoGuard feature. 

Sophos further recommends the following standard best practices to help defend against ransomware and related cyberattacks:

At a Strategic Level

  • Deploy layered protection. As more ransomware attacks begin to involve extortion, backups remain necessary, but insufficient. It is more important than ever to keep adversaries out in the first place, or to detect them quickly, before they cause harm. Use layered protection to block and detect attackers at as many points as possible across an estate
  • Combine human experts and anti-ransomware technology. The key to stopping ransomware is defense-in-depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organisation needs, while human experts are best able to detect the tell-tale tactics, techniques and procedures that indicate an attacker is attempting to get into the environment. If organisations dont have the skills in house, they can enlist support from cybersecurity specialists

At a Day-to-Day Tactical Level

  • Monitor and respond to alerts. Ensure the appropriate tools, processes, and resources (people) are available to monitor, investigate and respond to threats seen in the environment. Ransomware attackers often time their strike during off-peak hours, at weekends or during the holidays, on the assumption that few or no staff are watching
  • Set and enforce strong passwords. Strong passwords serve as one of the first lines of defense. Passwords should be unique or complex and never re-used. This is easier to accomplish with a password manager that can store staff credentials
  • Use Multi Factor Authentication (MFA). Even strong passwords can be compromised. Any form of multifactor authentication is better than none for securing access to critical resources such as e-mail, remote management tools and network assets
  • Lock down accessible services. Perform network scans from the outside and identify and lock down the ports commonly used by VNC, RDP, or other remote access tools. If a machine needs to be reachable using a remote management tool, put that tool behind a VPN or zero-trust network access solution that uses MFA as part of its login
  • Practice segmentation and zero-trust. Separate critical servers from each other and from workstations by putting them into separate VLANs as you work towards a zero-trust network model
  • Make offline backups of information and applications. Keep backups up to date, ensure their recoverability and keep a copy offline
  • Inventory your assets and accounts. Unknown, unprotected and unpatched devices in the network increase risk and create a situation where malicious activities could pass unnoticed. It is vital to have a current inventory of all connected compute instances. Use network scans, IaaS tools, and physical checks to locate and catalog them, and install endpoint protection software on any machines that lack protection
  • Make sure security products are correctly configured. Under-protected systems and devices are vulnerable too. It is important that you ensure security solutions are configured properly and to check and, where necessary, validate and update security policies regularly. New security features are not always enabled automatically. Dont disable tamper protection or create broad detection exclusions as doing so will make an attackers job easier
  • Audit Active Directory (AD). Conduct regular audits on all accounts in AD, ensuring that none have more access than is needed for their purpose. Disable accounts for departing employees as soon as they leave the company
  • Patch everything. Keep Windows and other operating systems and software up to date. This also means double checking that patches have been installed correctly and are in place for critical systems like internet-facing machines or domain controllers
     
Related stories
Top stories
Story image
ROI
How to increase the success rate of business data projects
Amid changing economic conditions and uncertainties about supply chains and staff availability, it's never been more important for New Zealand organisations to be innovative.
Story image
InternetNZ
How well do rangatahi understand cyber safety in Aotearoa?
Do rangatahi in Aotearoa understand the importance of being safe online, or has lifelong exposure to the internet resulted in widespread complacency?
Story image
Firewall
Why printing security plays a vital part in keeping Aotearoa safe
While internet printing, mobile printing and other similar technologies have no doubt made things easier to manage, it has also brought a whole new set of problems to the table.
Story image
Google Cloud
Google Cloud to open first cloud region in NZ - among others
Google Cloud has announced plans to bring three new cloud regions, one each in New Zealand, Malaysia and Thailand.
Story image
Sustainability
NZ program recovers and recycles more than 177 tonnes of e-waste
The TechCollect NZ pilot program says its milestone of recovering and recycling more than 177 tonnes of ICT e-waste recognises the efforts of many.
Story image
Customer
OfficeMax NZ sees significant growth through Seismic partnership
OfficeMax New Zealand has announced it has seen a significant increase in customer and sales confidence as a result of Seismic’s digital enablement software.
Story image
Sales
BNZ launches first tap-on-phone point of sale app in NZ
Bank of New Zealand has launched BNZ Pay, an innovative mobile app for retailers that transforms an Android device into a contactless payment terminal. 
Story image
Apps
Freshworks integrates with Google's Business Messages
"The integration with Freshworks makes it fast and easy for businesses to have conversations with their customers within the Google apps."
Story image
eCommerce
Marketplacer and Intelligent Reach to help retailers sell online
Intelligent Reach can now support Marketplacer marketplaces that want to sell their products through other places, such as Google and Facebook, eBay and Amazon.
Story image
Enterprise Resource Planning / ERP
Why the right ERP (and partner) is crucial to an innovative and successful business
Enterprise Resource Planning (ERP) is a foundational step to ensuring a robust business model; here's why choosing the right one could be vital to ensuring long-term success and innovative results.
Story image
Microsoft
Infobip’s SMS and WhatsApp services are now available through Microsoft
Infobip has integrated its WhatsApp and SMS channels through Microsoft Dynamics 365 Sales and Microsoft Dynamics 365 Marketing.
Story image
Planning
Digital key for smart investment in public infrastructure for NZ cities
Major public infrastructure projects can better manage risks of cost overruns and delays if they deploy data and digital tools at the earliest planning stages.
Story image
Phishing
Akamai research finds PayPal security measures utilised in new phishing scam
New research from Akamai has found that a new threat actor is parasitising benign WordPress sites to execute an extensive PayPal phishing scam.
Story image
New Zealand
Research finds Kiwis prefer real backdrops in video calls
New research from Natural Paint Co. has found that 74% of Kiwis prefer seeing a natural background behind people during video meetings.
Story image
Wireless
Hands-on review: Jabra Engage 55 wireless headset
We get our hands on a German design professional headset that many knowledge workers could benefit from.
Story image
Customer experience
BillingPlatform introduces new enhancements to revenue management services
Some of the new developments include hosted payment pages, and new and updated connectors to Salesforce, NetSuite, OneSource, Avalara and other enterprise systems.
Story image
Manufacturing
How manufacturers can respond to rapid change with technology
Disruption, innovation, and continual refinement of shop floor processes are driving factors in today’s complex market landscape. 
Story image
Financial results
Facebook NZ financial report reveals notable revenue increase
Revenue from contracts with customers increased by $NZD 1,089,292 compared to 2020's figures.
Story image
Social Media
ActiveCampaign reveals consumers seek trusthworthy content
Consumers will engage with new brands across all channels, including online, in-store and social media, as long as the content is relevant and trustworthy.
Story image
Cloud
Sitecore caters to modern marketing teams with CMS cloud launch
"Sitecore's move towards a composable SaaS offering for creating and delivering digital experiences is in line with what marketing teams are looking for.”
Story image
Revenue
Cisco NZ revenue declines by over $18.5 million - report
Cisco NZ has released its latest financial report, showing the company's total revenue has declined by more than $18.5 million year-over-year.
Story image
Printers
Comedy legend Jimeoin fronts Epson advertising campaign in NZ and Australia
According to Epson the company’s EcoTank models now account for 74% of all printers sold in the category in New Zealand, alone.
Story image
Facial recognition
Māori data specialists not consulted on facial recognition technology - data sovereignty expert
Māori data specialists are accusing the government of ignoring them while going ahead and expanding the reach of facial recognition technology.
Story image
Payments
Tranxactor Group to build customer loyalty with Oracle
Tranxactor has chosen Oracle Cloud Infrastructure (OCI) with Enterprise Database Service to allow it to provide brands with immersive customer engagement and loyalty programs.
Story image
Customer
Airwallex launches an online payments app on Shopify
Airwallex has launched an online payments app on Shopify, allowing merchants to integrate a gateway plugin on their online store to accept payments from their global customers.
Story image
Ebay
FedEx and eBay team up to boost APAC eCommerce options
FedEx Express' new alliance with eBay enables eBay sellers in APAC to sign up for a FedEx account and access the full spectrum of FedEx e-commerce delivery service options at competitive rates.
Story image
ShopBack
Forter and ShopBack enhance partnership to further prevent fraud
Forter and ShopBack have enhanced their partnership with the addition of better eCommerce security solutions for customers.
Story image
Cybersecurity
eCommerce fraud increasing pressure on businesses margins
It is vital for businesses to maximise the value of every dollar by turning away as many fraudulent actors as possible without blocking good customers."
Story image
Sustainability
Visa launches Eco Benefits solutions in Australia and NZ
Eco Benefits is a suite of sustainability-focused solutions that will help Visa cardholders better understand the environmental impact of their payments.
Story image
Revenue
IBM NZ sees significant revenue increase in latest report
IBM NZ has posted revenue of $172,449,000 for the financial year, according to its latest report, a year-over-year increase of over $47.5 million compared to $124,904,000 in 2020.
Story image
Commerce Commission
The NZ TCF endorses move by ComCom to promote TDR dispute scheme
The New Zealand Telecommunications Forum has welcomed the move by the Commerce Commission to further promote customers' access to the Telecommunications Dispute Resolution Scheme (TDR).
Story image
Artificial Intelligence
Cyara rolls out comprehensive, automated chatbot feature
Cyara has unveiled new chatbot testing features with the latest release of Cyara Botium, creating a solution for comprehensive, automated chatbot testing and assurance.
Story image
Internet
InternetNZ appoints new chief executive. Will take over in October
InternetNZ has announced the appointment of its new chief executive, with Vivien Maidaborn taking over the role from interim chief Andrew Cushen in October.
Story image
Cloud
Microsoft and Auckland Transport announce new cloud agreement
Auckland Transport (AT) and Microsoft have announced a new cloud agreement aimed at promoting innovation, reducing costs and improving sustainability in transport services.
Story image
Remote Working
Mantel Group continues NZ expansion with Auckland office
"Our desire is to offer real understanding to our New Zealand clients, and help provide solutions that better their business.” 
Story image
CRM
Forrester names Pega a Leader in CRM Solutions 2022 report
Forrester Research has named Pega a Leader among 11 competitors in The Forrester Wave: Core CRM Solutions, Q3 2022 report.
Story image
KICKS CREW
KICKS CREW selects Forter to help scale global eCommerce operations
KICKS CREW has selected Forter to help scale its global digital commerce operations.
Story image
SaaS
OpenText launches new solutions on Salesforce AppExchange
Included in this latest launch is OpenText Core Content, a Content Services platform that customers can leverage to effectively manage their content.
Story image
Digital Journey
NICE unveils new CXone capabilities with latest release
NICE has announced the Summer 2022 release of CXone, which adds new capabilities that enhance journey orchestration and complete performance.
Story image
Artificial Intelligence
Oracle unveils AI-powered application to automate sales
Oracle has unveiled the next generation of Fusion Sales, an application that automates sales and identifies the opportunities worth pursuing.
Story image
Forrester
SAS is a leader in anti-money laundering - Forrester
The latest Forrester report revealed that SAS received the highest score in the anti-money laundering category of 15 vendors.