Italy, France and Singapore Warn of a Spike in ESXI Ransomware

ESXi
ransomware
targeted
thousands
of
VMware
servers
in
a
global-scale
campaign,
security
experts
and
international
CERTs
warn.

Thousands
of
computer
servers
have
been
targeted
by
a
global
ransomware
hacking
attack
targeting
VMware
(VMW.N)
ESXi
servers.

ESXi
is
VMware’s
hypervisor,
a
technology
that
allows
organizations
to
host
several
virtualized
computers
running
multiple
operating
systems
on
a
single
physical
server.
The
Computer
Emergency
Response
Team
of
France
(CERT-FR)

was
the
first
to
notice
and
send
an
alert
about
the
attack.

Italy’s
National
Cybersecurity
Agency
(ACN)
and

Cyber
Security
Agency
of
Singapore
have
also
issued
warnings
for
organizations
to
take
immediate
action
to
protect
their
systems.

Notably,
this
promptly
comes
after
the
publication
of
a
report
about
the

Nevada
Ransomware
group

uncovered
by
Resecurity
last
week,
which
released
a
modified
locker
supporting
ESXi
as
well.
Resecurity
released
an
extensive
report
on
ransomware,
as
well
as
described
the
affiliate
network
managed
by
the
actors.

The
​French
cloud
provider
OVHcloud
also
published
a
report
linking
this
massive
wave
of
attacks
targeting
VMware
ESXi
servers
to
the
Nevada
ransomware
operation:
“According
to
experts
from
the
ecosystem
as
well
as
authorities,
they
might
be
related
to
Nevada
ransomware
and
using
CVE-2021-21974.
Investigations
are
still
ongoing
to
confirm
those
assumptions,”
OVHcloud
CISO
Julien
Levrard
said.
“The
attack
is
primarily
targeting
ESXi
servers
in
versions
before
7.0
U3i,
apparently
through
the
OpenSLP
port
(427).”

Resecurity
has
noted
that
the
Nevada
Ransomware
group
has
multiple
affiliates
which
could
essentially
be
utilizing
a
customized
version
of
the
locker
or
its
modifications
generating
different
extensions.
For
example,
in
some
of
the
episodes
of
the
same
campaign,
the
ransomware
encrypts
files
with
the
.vmxf,
.vmx,
.vmdk,
.vmsd,
and
.nvram
extensions
on
compromised
ESXi
servers,
then
creates
a
.args
file
for
each
encrypted
document
with
metadata
(likely
needed
for
decryption)
–
that’s
why
the
researchers
called
it
ESXiArgs
Ransomware.

Notably,
this
weekend
had
three
Ransomware
actors
rise
targeting
ESXi
and
Linux
–
Royal,
Nevada
and
ESXiArgs.

The
attack
exploits
a
heap-overflow
vulnerability
in
VMware
ESXi
and
is
tracked
as

CVE-2021-21974
which
was
patched
in
February
2021.
The
vulnerability
affects
the
Service
Location
Protocol
service
and
allows
an
attacker
to
remotely
exploit
arbitrary
code.
VMware
designated
the
vulnerability
as
“critical,”
meaning
it
could
be
used
by
attackers
to
remotely
execute
any
code
they
wanted
on
a
vulnerable
system
and
take
full
control
of
it.

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
ESXi
ransomware)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts