Application Security , Business Continuity Management / Disaster Recovery , Cybercrime

Ransomware: ESXiArgs Campaign Snares at Least 2,803 Victims

Unpatched VMware Servers Exploited; Florida State Court System Among Victims
Ransomware: ESXiArgs Campaign Snares at Least 2,803 Victims
Florida's state court system, but not its Supreme Court, is among the ESXiArgs ransomware campaign victims. (Image: Bruin79/Wikimedia)

A massive ransomware campaign is continuing to exploit unpatched VMware ESXi hypervisors to forcibly encrypt virtual machines and hold them to ransom. But security experts have shared techniques and tools that can be used to restore at least some affected systems without having to pay a ransom.

See Also: APAC Webinar | Mythbusting MDR

The ransomware variant being used by attackers has been dubbed ESXiArgs by VMware, which reports that the "critical" heap overflow vulnerability in OpenSLP being exploited, designated CVE-2021-21974, was patched in February 2021. Exploiting the flaw, reached via port 427, enables attackers to run arbitrary code on the VMware system.

The campaign, which appears to be run in a highly automated fashion, has amassed numerous victims since France's CERT-FR computer emergency response team first sounded the alarm on Friday.

By Wednesday, attackers had amassed at least 2,803 victims, according to a list of payment addresses collected from ransom notes by crowdsourced ransomware payment tracking service Ransomwhere, using the Censys and Shodan search engines for internet-connected devices. But security experts suspect there may already be thousands more victims, and it remains unclear how many virtual machines across all victims have been affected.

The ransomware campaign has amassed the most known victims in France, followed by the United States, Germany, Canada and the United Kingdom, based on a Ransomwhere list of IP addresses and wallet addresses published by Jack Cable, a senior technical adviser at the U.S. Cybersecurity and Infrastructure Security Agency. Whether by coincidence or design, notably absent from the list of countries hit by the campaign are Russia and Brazil.

Count of ESXiArgs Victims by Country

Image: Information Security Media Group, based on data published by Ransomwhere

Each victim appears to receive a ransom note bearing a unique cryptocurrency wallet address to which they're told to send their payment. Ransomwhere reports that known wallet addresses sent to victims have collectively received only $88,000 via four ransom payments.

"At the moment, it's still hard to know the exact number of victims, however, we believe there is a one-to-one mapping between wallets and victims," says Xavier Bellekens, CEO of Glasgow-based threat intelligence and cyber deception firm Lupovis. He says it's likely that other groups of attackers, including ransomware operations, will soon try to "surf on the wave" of exploiting this VMware flaw. As a result, the one-to-one mapping could change if new groups reuse wallet addresses across victims.

Italy's cybersecurity agency says the BlackBasta ransomware group may be tied to the attacks, but as yet it has published no evidence to substantiate that claim.

Whichever group is running the attacks, its ransom notes don't link to a data leak site, instead including only a Tox link for victim negotiations, Israeli threat intelligence firm DarkFeed reports. Tox is a peer-to-peer instant messaging protocol that is encrypted end to end.

Using the list published by CISA's Cable, which identifies victims' IP addresses, Reuters reports that the victims appear to include Florida's state court service as well as universities in Hungary and Slovakia, and in the United States, both the Georgia Institute of Technology in Atlanta and Rice University in Houston.

Paul Flemming, director of the Public Information Office for the Florida Supreme Court, confirmed to Reuters that some systems used to administer aspects of the network had been hit, but that "Florida Supreme Court's network and data are secure."

Defenses and Recovery

On the defensive front, experts recommend proactively blocking IP addresses from which ESXiArgs scans have been originating - in search of vulnerable systems - immediately, not least to buy time for teams attempting to get systems patched. Glasgow-based threat intelligence and cyber deception firm Lupovis has published a list of seven IP addresses from which the majority of scanning activity appears to be originating, and it says scanning activity has surged in recent days.

Victims that get hit by the ESXiArgs campaign have been able to recover some virtual machines. To help victims, CISA has released a GitHub script that can be used to automatically recover at least some infected virtual machines.

Organizations using unpatched VMware ESXi Servers should immediately isolate those servers and review them for signs of attack, CERT-FR recommends. Patching will not safeguard systems that have already been compromised, it warns, since attackers may have already installed malicious code set to later execute.

For unpatched servers, France's CERT "strongly recommends" that instead of just patching, IT teams completely reinstall the hypervisor, using a currently supported version - ESXi 7.x or ESXi 8.x - and apply all security updates, as well as rapidly install future security updates and disable unnecessary services, including SLP, when possible.

Other CERT-FR recommendations include blocking access to administrator-level services. Options include using a dedicated firewall that restricts access to trusted IP addresses, as well as securing all remote access via VPN.

The Problem With Hypervisor Patching

VMware has been urging users to fix the targeted flaw since it released a patch in February 2021. In May 2021, security researcher Johnny Yu released proof-of-concept code for exploiting the flaw.

Since then, why have so many organizations failed to patch it?

"Hypervisors are often hard to patch and therefore, a high-friction job, which makes teams less likely to patch them," says Bellekens. "Hopefully this vulnerability and its impact will incentivize vendors to address patching, updates and upgrade difficulties."

Until then, upgrading hypervisors is typically not for the faint of heart, especially where production systems might be involved, says Ian Thornton-Trump, CISO of London-based threat-intelligence firm Cyjax. "To me, it's like trying to upgrade an application server OS while in production and potentially blowing up all the things," he says.

Numerous factors lead IT teams to avoid having to deal with the care and feeding of hypervisors, says Daniel Card, a cyber specialist at London-based Xservus Limited. "It's very easy to deploy a virtualized environment but when it comes to updates, it is a pain," he says. "Also it's very easy to not do that, because of constraints involving time, money and skills."

Given such challenges, Thornton-Trump says hypervisors remain ripe for outsourcing. "For folks that have moved beyond 'VM' and embraced infrastructure as a service, like SQL as a service or other database technologies in third-party clouds, the hypervisor defenses fall into the category of a 'someone else's problem' and not your IT or security delivery team's," he says. "It seems to be more cost-effective and perhaps even more robust if downtime - even anticipated downtime - costs are large."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.