Given the dramatic spike in ransomware attacks since 2019, its important that businesses prepare as many barriers between their data and ransomware gangs as possible.
Most businesses rely exclusively on anti-virus to prevent ransomware. Some that are more cybersecurity conscious will maintain strict complex password enforcement, strict access control, and some even employ software dedicated to stopping ransomware specifically.
But with more businesses moving to the cloud, hypervisors have become a seldom written about defense against ransomware. Their power to virtualize and segregate the machines hosting your data creates another powerful layer of protection.
What is a Hypervisor?
Hypervisors, sometimes known as cloud OS’ come in two varieties.
Variety 1 known as Type 1 hypervisors refers to software that sits on the bare metal of a desktop or server. Instead of deploying an OS like Windows of Linux on the metal, a hypervisor will be installed then the OS of choice is installed on virtual machines hosted on the hypervisor. These virtual machines then are self-contained computers where you can split resources like RAM, CPU, and storage from the metal. Examples include Verge, ProxMox, Microsoft Hyper-V, VMware ESXi.
Type 2 hypervisors on the other hand sit on top of an already installed operating system. They are then used to create virtual machines which act as virtualized self-contained computers. You can then install your operating system of choice on the virtual machines and provision RAM, CPU, and storage from resources that are not already taken from the host operating system. A popular example is Oracle VirtualBox.
The primary use of a hypervisor is to take resources from a base system, then split those resources into self-contained virtual machines. These virtual machines can then be used for development, testing potentially malicious software, hosting websites, storing data separate from the main machine, etc.
Because hypervisors segregate data, they are quite a useful role-player for defending against ransomware.
What is Ransomware?
Ransomware is software created for the purpose of encrypting data and thus locking the target out of critical files.
Ransomware is commonly distributed through RDP attacks, phishing emails, intricate social engineering conversations, espionage, or disgruntled employees.
Unencrypting ransomware files typically involves paying the ransomware gang a fee for an unlock key which can be used to unencrypt the files. Payments are typically made using a cryptocurrency like Bitcoin. Often even after making payment, the unlock key is not provided.
Other than paying, businesses typically rely on backups to revive old version of their files.
Hypervisors Offer an Important Defense Mechanism for Your Business
Successfully defending against ransomware means maintaining several barriers between your data and attackers.
Hypervisors offer several features that create these barriers as well as help you maintain a plan B in the event that your systems are infiltrated. Here are 3 ways that hypervisors keep your data safe from attackers.
Hypervisors Wall Off Your Data
If you keep your application, database, etc, all inside virtual machines hosted on a hypervisor, the hypervisor walls your data off into several different machines that can speak to each other. These machines can be configured to have separate credentials, IPs, or even completely different operating systems.
Walling your data off into several machines prevents attackers from casting a wide attack over your data and disabling your business.
Consider This Scenario:
You have a development VM, a back-end database server VM, and an application front-end. Your development server likely sees the most interaction and therefore is the most likely to become infected with ransomware. If ransomware hits your development server, your front-end and back-end are on separate systems thanks to your hypervisor. Therefore, despite potentially losing some work on your development end, your environment remains productive. A hypervisor splitting your data into separate machines potentially saved your business.
Hypervisors Have Fast Backup and Restore
One of the costliest activities when recovering from a ransomware attack is restoring your systems. Using legacy backup systems this can easily take days. Between restoring backups, rendezvousing staff, communicating with clients, and monitoring remaining systems, it takes a business 15-21 days to recover from a ransomware attack.
Using KVM hypervisors like Verge or Proxmox you can automate a regular backup schedule that can take minutes to restore. Restoring your data quickly means you can move more swiftly on other recovery tasks and resume operations quicker.
Hypervisors Provide a Low-Risk Base Operating System
Type 1 hypervisors (the kind cloud providers like ZebraHost use) sit directly on the server metal. This means that there is no regular interaction with a base operating system like Linux, BSD, or Windows. This reduces the risk for a ransomware attack that will cut off your entire system.
Not having a base operating system that can become encrypted also reduces the risk of ransomware that specifically lock your entire bootloader. If you employ a hypervisor, bootloader ransomware like Petya must go after specific virtual machines.
Points to Be Aware Of
Though hypervisors can be a powerful addition to your security stack, they are not a catch all. You will still be required to have traditional security like anti-virus, firewall, ransomware protection and backups.
Here’s some things you need to be aware of before you consider how a hypervisors can help you defend against ransomware.
Hypervisors Provide Limited Defense Against Attacks Targeting Specific VMs
Hypervisors can help defend the bulk of your data because data is segregate across multiple machines, plus the hypervisor serves as the base software layer on your metal.
But if an attacker only wants to infect a specific machine, the hypervisor will do little to prevent or defend the machine against an initial attack. A positive however is that the hypervisor can still provide quick restore from a backup should the machine become infected.
You must still defend each of your virtual machines with anti-virus and ransomware-defense software.
Ransomware for Hypervisors is Coming
As businesses move to the cloud, the focus for ransomware gangs is how to encrypt valuable cloud data. Because hypervisors are the base for many cloud servers, ransomware gangs are slowly developing ransomware that can infect hypervisors.
A present, its unlikely your business will be hit with hypervisor-infecting ransomware. But the possibility is growing.
A python-based malware that targets VMware ESXi has been discovered in 2021. According to an article from ZDnet, “the scrip used to hijack the company’s VM setup… contained variables including different sets of encryption keys, email addresses, and options for customizing the suffix used to encrypt files in a ransomware-based attack”.
Hypervisors Represent A Single Point of Attack
You can think of a business’ hypervisor like it’s capitol during a war. It is well fortified and difficult to target but if it falls, everything else falls.
A bad actor would need direct access to the hypervisor credentials of a high-level systems admin to have access. Plus, they will likely also need to be connected to the business’ VPN. This makes the hypervisor a less likely attack than a VM but should attacker gain access, they can encrypt all the hosted virtual machines and delete backups.
Make sure credentials for your hypervisor are closely guarded by only your most trusted employees.
Hypervisors are an excellent way to add more security to your business. Segregating data into multiple individual virtualized systems creates a lot of work and hassle for hackers. Virtual Machines also limit the total impact if you are attacked.
But hypervisors are not built for the purpose of cybersecurity, and you will still need to defend your valuable virtual machines and credentials just like any other setup. Make sure you are using anti-virus, ransomware protection software, firewall, 2FA, and backups.