Are Servers on VMs are Safe from Ransomware ?
-
Hello all,
I am looking to have deep understanding about risks from Ransomware malware and see how Virtualization helps us to protect from.
I have read somewhere on Internet that "Ransomware removes itself once it detects the machine is VM not physical", not sure if I remember correctly ?
Lets say all my production servers (file server, erp, etc.) on VMs on top of Hyper-V / XenServer/ VMWare Virtualization Server.
Scenarios :
- If user's computer infected, virus will encrypt all his computer data and also shared folder (on which he have write access) from File Server (which is on VM). Scheduled VMs Snapshot enabled. So if I revert back to snapshot earlier to infection on File Server, I can get back whole data (by losing some data, depends on snapshot), right ?
Note: I can understand with this above step reverting back with snapshot can undo settings and loss of some data which was not infected and not required to recover.
-
So we were talking about on top of VM. How about Virtualization server itself ? Few of vectors for risk are Administrator computer ? as he will access the Virtualization Server and VMs through Hyper-V Manger, XenCenter, vSphere etc. ? But I didn't seen any credentials saved on Windows for XenCenter, so what are the actual risk here ?
-
I heard so many big companies effected with ransomware virus, so if Virtualization is great, why it didn't helped them ? Aren't they virtual (servers) ? maybe they meant for user computers only ?
-
What effect can be with sudden power failure for Virtualization Server, how its going to effect VMs and Host itself ? (out of topic, but bcoz Virtual, including here
) Is that same effect as if a physical server ?
Thanks. I will add more questions, as they are available
-
No, nothing makes them safe. Being on a VM does nothing to protect a machine from ransomeware, it runs exactly like a physical machine.
-
@openit said in Are Servers on VMs are Safe from Ransomware ?:
I have read somewhere on Internet that "Ransomware removes itself once it detects the machine is VM not physical", not sure if I remember correctly ?
It might or might not. Nothing about something being ransomware tells you if it will do this or not.
-
@openit said in Are Servers on VMs are Safe from Ransomware ?:
Lets say all my production servers (file server, erp, etc.) on VMs on top of Hyper-V / XenServer/ VMWare Virtualization Server.
Scenarios :
- If user's computer infected, virus will encrypt all his computer data and also shared folder (on which he have write access) from File Server (which is on VM). Scheduled VMs Snapshot enabled. So if I revert back to snapshot earlier to infection on File Server, I can get back whole data (by losing some data, depends on snapshot), right ?
Correct. But the same is true for physical machines taking snapshots. It is very important to understand that it is snapshots that are protecting you here, not virtualization.
-
You should have backups, so snapshots are just "yet another tool" that can be used. If you didn't have snapshots, you should be able to recover in the same way from backups. So snapshots aren't really adding anything special here.
-
@openit said in Are Servers on VMs are Safe from Ransomware ?:
- So we were talking about on top of VM. How about Virtualization server itself ? Few of vectors for risk are Administrator computer ? as he will access the Virtualization Server and VMs through Hyper-V Manger, XenCenter, vSphere etc. ? But I didn't seen any credentials saved on Windows for XenCenter, so what are the actual risk here ?
Risk is the same, more or less. If that machine becomes infected, you could lose all of the VMs and all of the snapshots. You have to access that machine somehow and however you access it is an attack vector.
-
@openit said in Are Servers on VMs are Safe from Ransomware ?:
- I heard so many big companies effected with ransomware virus, so if Virtualization is great, why it didn't helped them ? Aren't they virtual (servers) ? maybe they meant for user computers only ?
Virtualzation IS great, but you've made an illogical association randomly between virtualization being "good" and stopping ransomware. Why do you associate those two concepts? Nothing about virtualization being awesome makes it a tool to fight ransomware. A chocolate torte can be super delicious, but it isn't a security tool.
-
@openit said in Are Servers on VMs are Safe from Ransomware ?:
- What effect can be with sudden power failure for Virtualization Server, how its going to effect VMs and Host itself ? (out of topic, but bcoz Virtual, including here ) Is that same effect as if a physical server ?
Correct, exact same as a physical server.
- What effect can be with sudden power failure for Virtualization Server, how its going to effect VMs and Host itself ? (out of topic, but bcoz Virtual, including here
-
@scottalanmiller said in Are Servers on VMs are Safe from Ransomware ?:
A chocolate torte can be super delicious, but it isn't a security tool.
OK, now I'm hungry...
-
@scottalanmiller said in Are Servers on VMs are Safe from Ransomware ?:
A chocolate torte can be super delicious, but it isn't a security tool.
<tongue n cheek>If you were physically attacked and the attacker was allergic to chocolate, smashing it into his face could cause an anaphylactic shock thus saving you and thus being a darn good security tool.</tongue n cheek>
That being said the easiest way to think about all of this is that a Virtual Machine is still a machine, right like a physical machine. You need the same protections for a VM that you would have for a physical machine. I think Scott covered the bases well.
-
I've seen two virtual machines get cryptoed, so no, it makes no difference. The recovery was quicker, but that's about it.
-
I think what he is really asking is if you have two VM's on the same hardware, does that open them up to ransomware because it's on the same machine?
If a single VM is infected, that machine is infected. Ransomware will spread to any mapped drives, so hypothetically if you shared drives between these VM's it would absolutely infect anything shared between the infected machines even if they are VM's. They behave as independent machines as far as ransomware is concerned from what I have read.
Please correct me if this is not the case ML.
-
It's also possible that he is actually referring to thin clients and not VM's
-
I take the stance of if it is a computer, and has an operating system, then yes, it can be affected by ransomware and I protect it as such.
-
In the case that someone shared from reddit yesterday, the hacker got on one system and then installed a password cracking tool on the VM to scan for other passwords on the network. To answer @openit 's question, it makes no difference physical or virtual.
So far we haven't seen a case where if a VM gets hacked the attacker gains access to the hyper visor unless passwords are shared, etc.
-
@dafyre Yeah of course. My point is that is doesn't make it MORE susceptible to ransomware because it's sharing hardware. It is for all intents and purposes (ransomware wise) a standalone machine.
-
There have been exploits in Xen & VMWare & Hyper-v where if a guest VM is breached, the attacker can get to the host and therefore, other VMs. @Mike-Davis
-
@Breffni-Potter said in Are Servers on VMs are Safe from Ransomware ?:
There have been exploits in Xen & VMWare & Hyper-v where if a guest VM is breached, the attacker can get to the host and therefore, other VMs. @Mike-Davis
Interesting. I'll have to look that up.
-
@Breffni-Potter Can you show some examples? I would have thought there would have been all out data center panic. Can you imagine one Azure VM having access to all the VMs on that host? I'm thinking that would be front page news.
-
Different alerts have been posted on this site guys, This is why we update and patch and watch for notices from vendors.
Exploits have and are found on a regular basis, the vendors then patch like lightning to prevent it.
You can do your research and google your hypervisor of choice to see previous patched vulnerabilities.
