We can fairly easily prevent this by using the relatively unknown ESXi setting (optionally in combination with TPM 2.0 and UEFI Secure Boot) which is described in the 'Three steps to protect ESXi against ransomware' section below.
This attack vector is possible because once attackers get control of an ESXi host, they are by default allowed to upload and execute any custom binaries they want.
More info on it can be found in this Crowdstrike writeup.
Ransomware executing inside a VMware vSphere ESXi host can encrypt all the virtual machines at once, without having to compromise each guest operating system.
Why we should use execInstalledOnly to protect ESXi against ransomware
0 kommentar(er)
