BadPenguin Ransomware remains one of the most pervasive cyber threats to organizations in 2023.

Unfortunately, many organizations have not responded to the threat. Perhaps it seems too distant a threat when it is happening to something else. The “that will never happen to me” type of attitude.

Responding to the threat, by the way, doesn’t necessarily mean spending hundreds or even tens of thousands of dollars to protect your organization. It could mean using your existing technology in a smarter way.

One example of this are Hypervisors. Your Hypervisors run all the virtualized hosts in the on-premise network. In essence, they are one of the crown jewels. Why are organizations placing these critical systems on the corporate network where Derrick from accounting, who is a “clicker”, can access it over the network?

Imagine if an adversary were to gain access to your corporate network, and move laterally to your hypervisor(s)? This system likely controls your Active Directory, file servers, databases, business and web applications, and potentially even your backups. A single point of failure. With access to the hypervisor, all hard disk image files could be encrypted by ransomware. This also means OS level security protections will be circumvented. If you paid for a top of the line EDR on all your servers, it will be incapable of protecting against this attack vector. This is especially true for VMWare based ESXi Hypervisors which cannot typically install an EDR or other OS level protection.

Why can you do to protect this asset? Limit access to the Hypervisors from your corporate network to only those who require it. One way to accomplish this is to configure a management network where the Hypervisors can be accessed directly, and place it behind an internal firewall. Anytime an Administrator needs to work on the Hypervisor, they will need to VPN or SSH into the management network. Multifactor authentication should be required as an added layed of protection.

Many organizations are not staying aprised of the threat landscape as cybercrime organizations continue to retool, rebrand, and change their tactics. But tactics are not changing in order to overcome the fantastic job most organizations are doing to keep threat actors out of their networks, limiting their movement once inside, or creating better detections. No, threat actor groups are changing their tactics to increase their impact. Over the last 12 - 24 months, many of the ransomware groups have developed Linux compatiable ransomware binaries and are using them to target ESXi Hypervisors. Don’t wait for an incident, the right time to address the risk is now.