Home / News / Internet / Hackers launch extensive ransomware campaign using two-year-old VMware flaw

Hackers launch extensive ransomware campaign using two-year-old VMware flaw

A two-year-old VMware vulnerability is currently being actively exploited by cybercriminals as part of a global ransomware campaign that targets thousands of organizations.

Over the weekend, reports surfaced claiming that a ransomware variant known as “ESXiArgs” had infected and scrambled VMware ESXi servers that had been left unpatched and exposed to a remotely exploitable bug from 2021. The hypervisor developed by VMware, known as ESXi, enables businesses to host a number of virtualized computers running various operating systems on a single physical server.

While Italy’s national cybersecurity agency ACN on Sunday warned of a large-scale ransomware campaign targeting thousands of servers across Europe and North America, France’s CERT-FR computer emergency response team reports that cybercriminals have been targeting VMware ESXi servers since February 3.

Additionally, US cybersecurity officials have confirmed that they are looking into the ESXiArgs campaign. A CISA spokesperson told “working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed.” Any company experiencing a cybersecurity incident should contact CISA or the FBI right away.

According to the Italian ANSA news agency, cybersecurity experts in Italy warned that the ESXi flaw could be used by unauthenticated threat actors in simple attacks that don’t require the use of employee passwords or secrets. Due to the quantity of unpatched machines, the ransomware campaign is already causing “significant” damage, according to the local press.

According to a Censys search, the ESXiArgs ransomware campaign has so far compromised more than 3,200 VMware servers globally (via Bleeping Computer). The United States, Germany, Canada, France, and the United Kingdom are the nations most impacted, in that order.

Who is responsible for the ransomware campaign is unclear. OVHCloud, a French provider of cloud computing, has retracted its initial findings that suggested a connection to the Nevada ransomware variant.

Threat intelligence provider DarkFeed shared a copy of the purported ransom note, which reveals that the attackers used a “triple-extortion” strategy in which they threatened to inform the victims’ customers of the data breach. The ransom demand from the unidentified attackers is 2.06 bitcoin, or about $19,000, and each note contains a different bitcoin wallet address.

VMware’s Doreen Ruyak, a spokesperson for the company, said in a statement to that the company was aware of reports that the ransomware variant known as ESXiArgs “appears to be leveraging the vulnerability identified as CVE-2021-21974” and that patches for the vulnerability “were made available to customers in VMware’s security advisory of February 23, 2021.”

Organizations running ESXi versions affected by CVE-2021-21974 and who have not yet applied the patch should follow the advisory’s instructions, the spokesperson said. “Security hygiene is a key component of preventing ransomware attacks,” the spokesperson added.

About Chambers

Check Also

The Air Force has abandoned its attempt to install a directed-energy weapon on a fighter jet, marking another failure for airborne lasers

The U.S. military’s most recent endeavor to create an airborne laser weapon, designed to safeguard …