Limit the risk of ransomware with OpsLogix VMware MP

Ransomware is not a new concept within IT security. However, much focus is now being brought to it as the scale, number, and cost of these attacks are increasing worldwide. Though these attacks are aimed at organizations, the outcome can significantly impact consumers and individuals as well. The impact these attacks have on healthcare systems, schools, and power providers is significant and can have devastating consequences.

Limiting the risks for a ransomware attack should be on every organization's high-priority list. The scope of these attacks can cause substantial damage for both public- and private organizations.

There are direct financial risks involved with the ransom and indirect risks related to production downtime, data loss, system logs etc. This can be further compounded by organizations losing customer confidence and deteriorating reputations associated with data breaches. 

In 2021 the predicted cost related to ransomware attacks worldwide is estimated to reach as much as 20 billion USD. This puts the crime at #1 on the list of cybercrimes with the highest growth rate. 

Late 2021, a vulnerability with the open-source Apache Log4j logging software greatly impacted many organizations in various industries worldwide. This has caused a lot of stress within IT departments where the software was deployed internally as part of a workflow or application management or through third-party vendors.

Even more recently, VMware announced detected vulnerabilities that affect several of their products and patches for them. Though there's been no known exploitation of these yet, potential damages can be substantial if a malicious actor would get  SSH access to an NSX-Edge appliance (NSX-V), or a malicious actor would get local administrative privileges on a virtual machine.

These event has further emphasized the importance of a holistic approach to IT security and the measures needed to prevent similar scenarios from occurring.

Ransomware - What it is and how it creates damage 

Ransomware attacks can sometimes occur directly through unpatched or outdated infrastructure by way of an open port. By far the most common ransomware attacks are triggered through an inadvertent download of malware through an email or USB stick. 

This type of malware gives hackers access to business data, applications, and programs to encrypt. After this, they refuse to restore data and/or administrative access without a ransom. The methods hackers use are becoming increasingly sophisticated and are always aimed to maximize the damage on the exposed organizations. 

Ransomware attacks are increasing globally and have even become a business - Ransomware as a Service (RaaS) is a thing now. It allows criminal organizations or individual hackers to use developed ransomware without requiring extensive knowledge in the development or deployment.  

As ransomware attacks become more accessible and profitable, the need to increase cyber security is obvious. 

Limiting the Risk of Ransomware

To limit the risk of your organization becoming the victim of such an attack, the best way to do so is to ensure software and hardware are updated and keep pace with the latest general cybersecurity threats and issues. This cultivates a healthy sense of awareness that limits the risks of accidentally downloading malware.  

The measures to decrease the risks of ransomware are very simple yet very effective. These are company-wide:  

• Ensure that the source of any download is secure and known 
• Invest in a proven, reliable email spam filter, this should block the majority (if not all) of phishing emails 
• Do not open unrequested attachments or links (always check the URL) from unknown sources 

A few other measures that can be taken: 

• Using antivirus software 
• Enabling and correctly architecting firewall zones 
• Knowing which system ports are open and closing the ones that are unused 
• Update and correctly patch software 
• Backup data as frequently as possible 

OpsLogix VMware Pack and Ransomware

To enhance the prevention of security breaches in the IT environment, we are working on improvements to our VMware Management Pack. VMware was one of the organizations affected by the vulnerability in Log4j and even though no OpsLogix products include these components and were therefore unaffected, VMware users were.  

Our VMware Management Pack monitors the business-critical VMware vSphere environment. All alarms from vCenter are analyzed and sent as alerts to SCOM where data is aggregated and monitored.   

We are now developing new functionality to enhance the Management Pack further by proactively detecting when and where there may be a risk of getting hacked. This allows the creation of more proactive alerts and being able to notify the responsible team(s) to take action. 

The current roadmap features under development include over 60 new security monitors related to ESXi Hosts, Virtual Machines, Networks and vCenter Server.

These are some examples of monitors included in the Management Pack.

• ESXi.Audit-SSH-Disable 
• ESXi.config-snmp 
• ESXi.disable-cim 
• ESXi.Disable-oldtls-protocols 
• ESXi.enable-normal-lockdown-mode 
• ESXi.firewall-restrict-access 
• And many more....

You can look through (and download) the VMware configurations (and specific counters) we will be including in the VMware Security and Configuration guides.

If you or your organization is interested in knowing more or you have some technical suggestions with regard to the VMware security configurations and our VMware MP, let us know or fill in our VMware Management Pack Customer Feedback Survey. 

There is an additional measure to enhance the proactive monitoring of your VMware environment. An extensive service offered by VMware that can be used to complement a management pack and the internal monitoring of your platform. Learn more about the VMware Skyline and how you can use it to get the most out of your VMware monitoring