VMware vCenter Server and VMware ESXi are attractive targets for ransomware attacks. In this session, Anders Olsson from Truesec will show you how to proactively protect the VMware vSphere platform against ransomware and detect attacks before they encrypt your ESXi hosts and VMs.
Using experiences and examples from multiple real-life ransomware incidents, he explores and explains attack paths, protection recommendations, and forensic detection techniques.
Don’t have time to watch the full session? Here’s a rundown of key takeaways:
1. vSphere is an attractive target for ransomware attacks, making it crucial to protect your vSphere environment against such threats.
2. It is important to differentiate between protecting workloads (VMs, servers, clients, AD) and protecting the infrastructure platform (vSphere, storage, etc.), as both require different security measures. These should also be separated from each other.
3. Understanding the attack paths leading up to a vSphere ransomware execution is essential. These paths include the initial access, leveraging Active Directory and the different ways to reach and attack vCenter Server and ESXi.
4. Recovering a vSphere environment after an attack should not involve paying the ransom. Paying the attackers increases the risk of future attacks and does not guarantee a complete resolution.
5. The availability and integrity of backups are crucial for recovery. It is important to ensure that backups cannot be tampered with and that they can be restored successfully.
6. Cleaning and restoring compromised components, such as VMs, vCenter Server, and ESXi hosts after an attack requires careful consideration and forensic analysis.
7. To protect vSphere against attacks, several measures should be taken, including segmenting vSphere from workloads and clients, using EDR/XDR/SIEM for endpoints and vSphere, installing security updates, and following vSphere hardening guidelines.
8. Preventing foreign code execution in ESXi can be achieved through settings like execInstalledOnly, which prevents the execution of unwanted files and scripts.
9. UEFI Secure Boot can be used to validate the integrity of boot and kernel files in ESXi, protecting against the establishment of persistence by threat actors using non-signed VIBs.
10. Deactivating shell access for non-root ESXi users can prevent vCenter to ESXi lateral movement, which is an important measure to stop or slow down an attacker.
—
Want more VMware Explore? Dive into our full video library for unlimited learning at your own pace. And stay up to date with the latest product announcements on the official vSphere blog.
