Ransomware Threats Evolve: Cybersecurity Firm Uncovers Common Patterns in Attacks on Virtualization Infrastructure

Ransomware attacks targeting VMware ESXi infrastructure seem to follow a consistent pattern, according to a recent report from cybersecurity firm Sygnia. The report highlighted that virtualization platforms are often vulnerable to misconfigurations, making them prime targets for threat actors. Through their investigations involving various ransomware families like LockBit and BlackCat, Sygnia observed similar attack sequences on virtual environments.

To mitigate these risks, organizations are advised to implement robust security measures such as enhanced monitoring, strong backups, strict authentication, environment hardening, and network restrictions to prevent lateral movement.

Cybersecurity company Rapid7 issued a warning about an ongoing campaign using malicious ads on search engines to distribute trojanized installers for WinSCP and PuTTY. These installers lead to the deployment of ransomware via the Sliver toolkit and Cobalt Strike Beacon. Targeting IT professionals, the campaign aims to gain a foothold through deceptive downloads.

Recent ransomware variants like MorLock, , , and have emerged, with MorLock specifically targeting Russian companies. These groups demand significant ransoms, typically amounting to millions of rubles, for file decryption.

Statistics from NCC Group show a 15% decrease in global ransomware attacks in April 2024 compared to the previous month. This decline marks a shift in the ransomware landscape, with Play and Hunters emerging as prominent threat groups.

In addition, cybercriminals are promoting hidden VNC and remote access services like and for data exfiltration and facilitating ransomware attacks. Services like TMChecker have lowered the barrier to entry for threat actors seeking high-impact corporate access, signaling a concerning trend in cybercrime.