Guardians of the Hypervisor: ESXi Ransomware Incident Response in Action

As ESXi virtualization environments face an escalating onslaught of ransomware threats, this presentation draws from experiences gained by Truesec in handling several incidents involving ESXi ransomware, such as Akira, AlphV, and Trigona. The threat landscape has evolved, with ESXi ransomware becoming a staple tool for various threat actors. Topics of interest include, but are not limited to: Threat Intelligence: An exploration of the evolving landscape of ESXi ransomware threats, insights into different strains, and the integration of ransomware as a standard tool for numerous threat actors. Additionally, a discussion on how the leaked source code from Babuk has reshaped the threat landscape. Malware Analysis: In-depth examinations of ESXi ransomware strains, encompassing code analysis, behavioral patterns, and evasion techniques. Incident Response: Case studies and lessons learned from real-world ESXi ransomware incidents. Forensic Analysis: Insights into forensic methodologies tailored for ESXi ransomware investigations. Protection: How can customers protect their VMware platforms against these attacks? Insight into Exploitation: Explorations into the methods and vulnerabilities exploited by ransomware actors, with a specific emphasis on understanding attack vectors, exploitation techniques, and vulnerabilities within ESXi environments. The presentations aim to contribute to the collective effort to fortify defenses and mitigate the impact of ESXi ransomware incidents, with a particular focus on enhancing threat intelligence capabilities.

Presented at Security Fest 2024.

Speakers: Anders Olsson, Nicklas Keijser

About Anders Olsson

Anders Olsson

Anders Olsson is VMware VCDX #182, and has 15 years of experience designing and implementing VMware environments. Now he focuses on vSphere security, helping customers protect against Ransomware attacks and breaches, both proactively and in incident response cases.

About Nicklas Keijser

Nicklas Keijser

Nicklas is a Threat Research Analyst, a role that involves much reverse engineering and looking into all things malware. Nicklas is also a subject matter expert in industrial control systems and anything related to its security. He started his career programming PLCs, SCADA systems, and almost anything else possible within the industry. Before joining Truesec, Nicklas worked at the Swedish National CERT in the Swedish Civil Contingencies Agency.

Get all relevant information and news regarding Security Fest, when we release recordings of talks, etc.