Virtual machines got targeted by a new Python ransomware

Virtual machines Python ransomware campaign ESXi

Security experts have found a new Python ransomware campaign wherein corporate systems are encrypted within three hours. According to researchers, this attack is performed by threat actors who specifically target the ESXi platform so that they can encrypt the victim’s virtual machines. 

This new ransomware written in Python has been deployed in only ten minutes by the threat actors who have managed to intrude on a victim organization’s Team Viewer account. With TeamViewer, anyone can access and control devices and platforms remotely to manage them. 

Within the ten minutes of intrusion, the threat actors could locate a vulnerable ESXi server that they find appropriate for their next attack stage. VMware ESXi is type-1 hypervisor system developed by VMware to manage virtual machines or VMs and containers.  

Due to an active shell, researchers assume that it made the ESXi server prone to exploitation, which has led to the installation of Bitvise. Bitvise is an exclusive secure remote access software developed for Windows server administration. The threat actors used Bitvise to tap ESXi and the virtual disk files used by active virtual machines. 

Even though the built-in SSH of ESXi servers, called the ESXi Shell, is generally disabled by default, administrators can still enable it. Researchers added that the IT staff of the affected organization had enabled and disabled the shell several times before the attack happened due to being accustomed to using the ESXi in managing their servers. Unfortunately, the IT staff failed to disable it the last time they enabled the shell, which led to an attack. 


Threat actors managed to deploy the Python ransomware within three hours of intrusion and encrypt its virtual machines.


In hijacking the organization’s virtual machines, the script that the threat actors used has 6kb in length. It contains variables such as email addresses, encryption key sets, and options to modify the suffix used in encrypting files in the ransomware attack. 

The malware established a drive map, virtual machine names were kept, and the actual virtual machines were powered off. The full database encryption began the moment that all had been disabled. 

This technique has been used by big ransomware groups such as the DarkSide and REvil. 

Security researchers highlighted that this incident must remind IT administrators to enhance their security measures and standards, especially on virtual machine platforms and standard corporate networks. 

About the author


Leave a Reply