Virtual server data recovery after cyber-attack
With the benefits of virtual environments being well documented and understood, and the technology being more widely adopted than ever before, what are the implications for cyber-attacks on these virtual systems, and what can you do to mitigate any risk?  
Recent moves towards home working have led to much wider adoption of cloud based or remote storage and back up solutions, not just for business-critical applications and data, but the ‘live’ data that users generate and work on locally on a daily basis. 
This means that the impact of downtime for companies and employees alike is greater than ever before, so it is of utmost importance to understand how threat actors can infiltrate your virtual environments, and what, if any, are the precautions you can take to shore up your defences

Latest trends in ransomware attacks on virtual environments 

Security company Mandiant, in their latest cyber trends report, found that 2021 saw a marked increase in the number of attacks on VMware virtual environments
These proved to be particularly damaging as once access to vCenter is gained, all hosts in the environment can then be compromised without further access hurdles. 
VMware vSphere and ESXi platforms particularly were reported as commonly and successfully targeted, often by the threat actors associated with Conti, Hive, DarkSide and Blackcat. 
In January of this year, VMware themselves had to address a vulnerability in their Workstation, Fusion, and ESXi platforms to reduce hacker exploitation. 
VMWare Mandiant data recovery
VirtualBox data recovery
Kaspersky, a leader in cyber security and anti-virus software, recently published a free tool that helps victims of the Yanluowang virus, another strain of ransomware that targets virtual systems specifically.  
Symantec have also noted a rise of virtual machine attacks, with technology such as VirtualBox being used to facilitate the installation of ransomware stealthily within a VM, while encrypting host computer files without raising suspicions. 

How can I prevent ransomware attacks on my virtual machines? 

Given the significant rise in, and sophistication of, these attacks on virtual environments, plus the increased potential payload, it is imperative that extra vigilance is observed, with the following recommendations noted by the previous sources: 
Monitor and control software installations. Use enterprise versions of VM software that restrict the creation of new VMs, and use software restriction tools. 
Deploy multiple layers of controls to both VM platform and management interfaces. Segment your network by placing all ESXi and vCenter management on an isolated network or VLAN. 
Implement lockdown mode. This further restricts services and management of ESXi hosts, protecting their integrity and ensures unsigned VIBs cannot be installed. 
Use vCenter Single Sign-On. Decoupling ESXi and vCenter Servers from Active Directory will prevent compromised accounts from being able to authenticate. 
Implement appropriate Restore Point Objectives and Restore Time Objectives. Immutable backups with appropriate degrees and dates of backups will aid quick restoration as required. 
Centralise ESXi logging. This will detect malicious behaviour and help you proactively investigate an incident. Make shell logs available in a central log solution. 

How can I recover data after a ransomware attack on my virtual server? 

As with all data recovery attempts from critical systems, the immediate steps taken after the data loss or cyber-attack are the most important. 
It is imperative to isolate your systems to the best degree possible immediately, to try and contain the attack. This can often be particularly challenging for users of virtual environments as many different servers are routinely clustered together meaning that the impact of a shut down can be very far-reaching and impactful. 
Call your insurer. There is a good chance you will have some measure of cyber cover for your systems, either to compensate for the impacts of downtime and lost productivity, or to pay for the restoration of your data. Just as importantly, they will be well connected with experts to help you manage and reduce the impact of the attack. Use them. 
Engage a data recovery expert to review your situation and options. Oftentimes a data recovery company will have several data recovery paths to explore, including system rollbacks, custom-developed data recovery tools, or the accessing, restoration and repairing of backups. Additionally, they will be able to help with forensic investigation and breach response services. 
Think long and hard before paying a ransom. As few as 1 in 5 ransom payments result in a full restoration of your data. Further, you are yielding to a criminal activity which is not only illegal on your part in certain cases, but potentially opens you up to further attacks / exploitation, and can cause huge reputational damage. There are usually better alternatives to paying, so it is worth taking a breath and reviewing them. 
In summary, whilst virtual environments are frequently beneficial technologies from value and performance perspectives, they are unfortunately prone to the same cyber threats as physical environments
Given the potentially high payload of these systems, and several recently exploited vulnerabilities in leading virtual systems, the volume of VM cyber attacks has been increasing rapidly of late. 
Thankfully there are several companies that have the tools and expertise to navigate these challenges, but it is imperative that you seek help immediately to maximise the chances of a successful resolution and reduce the chances of being exposed further. 
Share this post:

Leave a comment: 

Our site uses cookies. For more information, see our cookie policy. Accept cookies and close
Reject cookies Manage settings