Are Servers on VMs are Safe from Ransomware ?



  • Hello all,

    I am looking to have deep understanding about risks from Ransomware malware and see how Virtualization helps us to protect from.

    I have read somewhere on Internet that "Ransomware removes itself once it detects the machine is VM not physical", not sure if I remember correctly ?

    Lets say all my production servers (file server, erp, etc.) on VMs on top of Hyper-V / XenServer/ VMWare Virtualization Server.

    Scenarios :

    1. If user's computer infected, virus will encrypt all his computer data and also shared folder (on which he have write access) from File Server (which is on VM). Scheduled VMs Snapshot enabled. So if I revert back to snapshot earlier to infection on File Server, I can get back whole data (by losing some data, depends on snapshot), right ?

    Note: I can understand with this above step reverting back with snapshot can undo settings and loss of some data which was not infected and not required to recover.

    1. So we were talking about on top of VM. How about Virtualization server itself ? Few of vectors for risk are Administrator computer ? as he will access the Virtualization Server and VMs through Hyper-V Manger, XenCenter, vSphere etc. ? But I didn't seen any credentials saved on Windows for XenCenter, so what are the actual risk here ?

    2. I heard so many big companies effected with ransomware virus, so if Virtualization is great, why it didn't helped them ? Aren't they virtual (servers) ? maybe they meant for user computers only ?

    3. What effect can be with sudden power failure for Virtualization Server, how its going to effect VMs and Host itself ? (out of topic, but bcoz Virtual, including here :) ) Is that same effect as if a physical server ?

    Thanks. I will add more questions, as they are available ;)


  • Service Provider

    No, nothing makes them safe. Being on a VM does nothing to protect a machine from ransomeware, it runs exactly like a physical machine.


  • Service Provider

    @openit said in Are Servers on VMs are Safe from Ransomware ?:

    I have read somewhere on Internet that "Ransomware removes itself once it detects the machine is VM not physical", not sure if I remember correctly ?

    It might or might not. Nothing about something being ransomware tells you if it will do this or not.


  • Service Provider

    @openit said in Are Servers on VMs are Safe from Ransomware ?:

    Lets say all my production servers (file server, erp, etc.) on VMs on top of Hyper-V / XenServer/ VMWare Virtualization Server.

    Scenarios :

    1. If user's computer infected, virus will encrypt all his computer data and also shared folder (on which he have write access) from File Server (which is on VM). Scheduled VMs Snapshot enabled. So if I revert back to snapshot earlier to infection on File Server, I can get back whole data (by losing some data, depends on snapshot), right ?

    Correct. But the same is true for physical machines taking snapshots. It is very important to understand that it is snapshots that are protecting you here, not virtualization.


  • Service Provider

    You should have backups, so snapshots are just "yet another tool" that can be used. If you didn't have snapshots, you should be able to recover in the same way from backups. So snapshots aren't really adding anything special here.


  • Service Provider

    @openit said in Are Servers on VMs are Safe from Ransomware ?:

    1. So we were talking about on top of VM. How about Virtualization server itself ? Few of vectors for risk are Administrator computer ? as he will access the Virtualization Server and VMs through Hyper-V Manger, XenCenter, vSphere etc. ? But I didn't seen any credentials saved on Windows for XenCenter, so what are the actual risk here ?

    Risk is the same, more or less. If that machine becomes infected, you could lose all of the VMs and all of the snapshots. You have to access that machine somehow and however you access it is an attack vector.


  • Service Provider

    @openit said in Are Servers on VMs are Safe from Ransomware ?:

    1. I heard so many big companies effected with ransomware virus, so if Virtualization is great, why it didn't helped them ? Aren't they virtual (servers) ? maybe they meant for user computers only ?

    Virtualzation IS great, but you've made an illogical association randomly between virtualization being "good" and stopping ransomware. Why do you associate those two concepts? Nothing about virtualization being awesome makes it a tool to fight ransomware. A chocolate torte can be super delicious, but it isn't a security tool.


  • Service Provider

    @openit said in Are Servers on VMs are Safe from Ransomware ?:

    1. What effect can be with sudden power failure for Virtualization Server, how its going to effect VMs and Host itself ? (out of topic, but bcoz Virtual, including here :) ) Is that same effect as if a physical server ?

    Correct, exact same as a physical server.



  • @scottalanmiller said in Are Servers on VMs are Safe from Ransomware ?:

    A chocolate torte can be super delicious, but it isn't a security tool.

    OK, now I'm hungry...



  • @scottalanmiller said in Are Servers on VMs are Safe from Ransomware ?:

    A chocolate torte can be super delicious, but it isn't a security tool.

    <tongue n cheek>If you were physically attacked and the attacker was allergic to chocolate, smashing it into his face could cause an anaphylactic shock thus saving you and thus being a darn good security tool.</tongue n cheek>

    That being said the easiest way to think about all of this is that a Virtual Machine is still a machine, right like a physical machine. You need the same protections for a VM that you would have for a physical machine. I think Scott covered the bases well.


  • Service Provider

    I've seen two virtual machines get cryptoed, so no, it makes no difference. The recovery was quicker, but that's about it.



  • I think what he is really asking is if you have two VM's on the same hardware, does that open them up to ransomware because it's on the same machine?

    If a single VM is infected, that machine is infected. Ransomware will spread to any mapped drives, so hypothetically if you shared drives between these VM's it would absolutely infect anything shared between the infected machines even if they are VM's. They behave as independent machines as far as ransomware is concerned from what I have read.

    Please correct me if this is not the case ML.



  • It's also possible that he is actually referring to thin clients and not VM's



  • I take the stance of if it is a computer, and has an operating system, then yes, it can be affected by ransomware and I protect it as such.


  • Service Provider

    In the case that someone shared from reddit yesterday, the hacker got on one system and then installed a password cracking tool on the VM to scan for other passwords on the network. To answer @openit 's question, it makes no difference physical or virtual.

    So far we haven't seen a case where if a VM gets hacked the attacker gains access to the hyper visor unless passwords are shared, etc.



  • @dafyre Yeah of course. My point is that is doesn't make it MORE susceptible to ransomware because it's sharing hardware. It is for all intents and purposes (ransomware wise) a standalone machine.


  • Service Provider

    There have been exploits in Xen & VMWare & Hyper-v where if a guest VM is breached, the attacker can get to the host and therefore, other VMs. @Mike-Davis



  • @Breffni-Potter said in Are Servers on VMs are Safe from Ransomware ?:

    There have been exploits in Xen & VMWare & Hyper-v where if a guest VM is breached, the attacker can get to the host and therefore, other VMs. @Mike-Davis

    Interesting. I'll have to look that up.


  • Service Provider

    @Breffni-Potter Can you show some examples? I would have thought there would have been all out data center panic. Can you imagine one Azure VM having access to all the VMs on that host? I'm thinking that would be front page news.


  • Service Provider

    Different alerts have been posted on this site guys, This is why we update and patch and watch for notices from vendors.

    Exploits have and are found on a regular basis, the vendors then patch like lightning to prevent it.

    https://arstechnica.co.uk/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/

    You can do your research and google your hypervisor of choice to see previous patched vulnerabilities.


  • Service Provider

    @Breffni-Potter said in Are Servers on VMs are Safe from Ransomware ?:

    Different alerts have been posted on this site guys, This is why we update and patch and watch for notices from vendors.

    Exploits have and are found on a regular basis, the vendors then patch like lightning to prevent it.

    https://arstechnica.co.uk/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/

    You can do your research and google your hypervisor of choice to see previous patched vulnerabilities.

    Thanks for sharing that. It seems an unpatched system is a vulnerability no matter where it is.


  • Service Provider

    @wirestyle22 said in Are Servers on VMs are Safe from Ransomware ?:

    @Breffni-Potter said in Are Servers on VMs are Safe from Ransomware ?:

    There have been exploits in Xen & VMWare & Hyper-v where if a guest VM is breached, the attacker can get to the host and therefore, other VMs. @Mike-Davis

    Interesting. I'll have to look that up.

    VMware had one happen just this past week.


  • Service Provider

    @Mike-Davis said in Are Servers on VMs are Safe from Ransomware ?:

    @Breffni-Potter Can you show some examples? I would have thought there would have been all out data center panic. Can you imagine one Azure VM having access to all the VMs on that host? I'm thinking that would be front page news.

    It was pretty big news last week when it was demonstrated on VMware. I've not heard of it on Xen.


  • Service Provider

    @Mike-Davis said in Are Servers on VMs are Safe from Ransomware ?:

    Thanks for sharing that. It seems an unpatched system is a vulnerability no matter where it is.

    That has always and will always be the case.


  • Service Provider

    @Breffni-Potter said in Are Servers on VMs are Safe from Ransomware ?:

    Different alerts have been posted on this site guys, This is why we update and patch and watch for notices from vendors.

    Exploits have and are found on a regular basis, the vendors then patch like lightning to prevent it.

    https://arstechnica.co.uk/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/

    You can do your research and google your hypervisor of choice to see previous patched vulnerabilities.

    Important to note that in this example, it was not the VMs or the hypervisors that were compromised. It was a shared storage device that was hit through the driver. It's a risk of loaded drivers and it was a floppy driver, so not expected to be seen in production.



  • Theoretically, the guest system is totally isolated by the VM and cannot even "see" the host, let alone attack it; so the guest cannot break out of the VM. Of course, in practice, it has occasionally happened. An attack requires exploiting a security issue (i.e. a programming bug which turns out to have nasty consequences) in the VM implementation or, possibly, the hardware features on which the VM builds on. There are few exit routes for data out of the VM; e.g., for Internet access, the VM is emulating a virtual network card, which deals only with the lowest level packets, not full TCP/IP -- thus, most IP-stack issues remain confined within the VM itself. So bugs leading to breakout from VM tend to remain rare occurrences.

    There are some kinds of attacks against which VM are very effective, e.g. fork bombs. From the point of view of the host system, the VM is a single process. A fork bomb in the guest will bring to its knees the scheduler in the guest OS, but for the host this will be totally harmless. Similarly for memory: the VM emulates a physical machine with a given amount of RAM, and will need about that amount of "real" RAM to back it up efficiently. Regardless of what the guest does, the VM will never monopolize more RAM than that. (You still want to limit VM RAM size to, say, at most 1/2 of your physical RAM size, because the extra "real" RAM is handy for disk caching; and the host OS will want to use some, too.)

    Taken into account that malware/ransomware is implemented on the file level, the best method of protection would be based on a block level recovery tool.

    In addition, the best way to overlook the possibility of loosing your data would be the implementation of the the 3-2-1 rule. Its a quite common safety measure in the data infrastructure. We actually implement it quite often, it is based on the replication of your data between 3 nodes as well as creating 2 real-time replication copies of the data between the nodes and storing a single copy of your data in a VTL on the cloud.

    For any other additional information, I would like to suggest you to take a look at the following article - https://knowledgebase.starwindsoftware.com/explanation/the-3-2-1-backup-rule/


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.