Ransomware encryption has been around for a few years and is on the rise; however, the attacks are becoming more advanced.

 

Historically attacks have been mostly within the operating systems (Windows and Linux), with no attention paid to the hypervisor. However, more recently, a fair number of ransomware attack groups have changed their approach, with the virtualisation layer being a new focus.

 

The reasons for this change are that these attacks are relatively simple, and there is much less security software at this layer (such as no anti-virus). This leads more a more stealthy attack due to this lack of monitoring and software, and also, in many circumstances, results in a much more complete attack (entire server platforms encrypted with very little effort).  VMware has, thankfully, been working in the background for some time to provide some tools to combat this attack vector.

 

To enable these options, you will need a TPM2.0 module (this is a hardware encryption module which has been common on server hardware for over 5 Years) and ESXi installed with UEFI.

 

Commands should be entered either through ESXi Shell or PowerCLI (with privileged access). ESXi Shell should normally be disabled and will need to be enabled before access (and disabled again afterwards).

 

Confirm your encryption settings in ESXi:

esxcli system settings encryption get

   Mode: <TPM/None>

   Require Executables Only From Installed VIBs: <true/false>

   Require Secure Boot: <true/false>

If Mode: NONE (TPM Not Enabled):

 

REBOOT the host and go into the BIOS.

In the UEFI, you will need to enable:

• TPM2.0 module

• Secure boot (with enable UEFI to be enabled)

• If using Intel, enable TXT

• If using AMD enable TrustZone

Save settings and reboot.

 

Once booted into ESXi then enable TPM:

esxcli system settings encryption set --mode=TPM

Verify:

esxcli system settings encryption get

   Mode: TPM

   Require Executables Only From Installed VIBs: false

   Require Secure Boot: false

Save Settings:

/sbin/auto-backup.sh

If Require Secure Boot: false (Allow non-secure boot):

Set Require Secure Boot:

esxcli system settings encryption set --require-secure-boot=T

Verify:

esxcli system settings encryption get

   Mode: TPM

   Require Executables Only From Installed VIBs: false

   Require Secure Boot: true

Save Settings:

/sbin/auto-backup.sh

 

If “Require Executables Only From Installed VIBs: false” (Settings allow any code to execute on ESXi):

 

Apply to runtime:

esxcli system settings kernel set -s execInstalledOnly -v TRUE

REBOOT

 

Set enforcement for execution policy:

esxcli system settings encryption set --require-exec-installed-only=TRUE

Then Verify:

esxcli system settings encryption get

   Mode: TPM

   Require Executables Only From Installed VIBs: true

   Require Secure Boot: true

Save Settings:

/sbin/auto-backup.sh

 

These commands enable secure boot and only allow code execution for code that is installed via VIB.

 

Setting the code execution policy stops the hackers from running encryption systems via Perl scripts to encrypt your system. However, please be aware that this will stop the update manager from scanning for updates, but you will still be able to apply them.

 

It is possible to disable Secure Boot again. However, this requires the hosts to be rebooted and the BIOS reconfigured. Setting a BIOS password and monitoring the uptime of your systems will also assist in identifying if an attacker is attempting to work around this protection.

 

It is also possible to disable the execution security settings, and therefore maintaining security around administrative rights and access to ESXi hosts is also very important.

Please note that this set of more secure settings for ESXi Secure Boot and Execution Policies are only part of an overall defence against attacks and should be carried out in combination with other security measures to provide an overall defence.