Ransomware: ESXiArgs Campaign Snares at Least 2,803 VictimsUnpatched VMware Servers Exploited; Florida State Court System Among Victims
A massive ransomware campaign is continuing to exploit unpatched VMware ESXi hypervisors to forcibly encrypt virtual machines and hold them to ransom. But security experts have shared techniques and tools that can be used to restore at least some affected systems without having to pay a ransom.
The ransomware variant being used by attackers has been dubbed ESXiArgs by VMware, which reports that the "critical" heap overflow vulnerability in OpenSLP being exploited, designated CVE-2021-21974, was patched in February 2021. Exploiting the flaw, reached via port 427, enables attackers to run arbitrary code on the VMware system.
The campaign, which appears to be run in a highly automated fashion, has amassed numerous victims since France's CERT-FR computer emergency response team first sounded the alarm on Friday.
By Wednesday, attackers had amassed at least 2,803 victims, according to a list of payment addresses collected from ransom notes by crowdsourced ransomware payment tracking service Ransomwhere, using the Censys and Shodan search engines for internet-connected devices. But security experts suspect there may already be thousands more victims, and it remains unclear how many virtual machines across all victims have been affected.
The ransomware campaign has amassed the most known victims in France, followed by the United States, Germany, Canada and the United Kingdom, based on a Ransomwhere list of IP addresses and wallet addresses published by Jack Cable, a senior technical adviser at the U.S. Cybersecurity and Infrastructure Security Agency. Whether by coincidence or design, notably absent from the list of countries hit by the campaign are Russia and Brazil.
Count of ESXiArgs Victims by Country
Each victim appears to receive a ransom note bearing a unique cryptocurrency wallet address to which they're told to send their payment. Ransomwhere reports that known wallet addresses sent to victims have collectively received only $88,000 via four ransom payments.
"At the moment, it's still hard to know the exact number of victims, however, we believe there is a one-to-one mapping between wallets and victims," says Xavier Bellekens, CEO of Glasgow-based threat intelligence and cyber deception firm Lupovis. He says it's likely that other groups of attackers, including ransomware operations, will soon try to "surf on the wave" of exploiting this VMware flaw. As a result, the one-to-one mapping could change if new groups reuse wallet addresses across victims.
Italy's cybersecurity agency says the BlackBasta ransomware group may be tied to the attacks, but as yet it has published no evidence to substantiate that claim.
Whichever group is running the attacks, its ransom notes don't link to a data leak site, instead including only a Tox link for victim negotiations, Israeli threat intelligence firm DarkFeed reports. Tox is a peer-to-peer instant messaging protocol that is encrypted end to end.
Using the list published by CISA's Cable, which identifies victims' IP addresses, Reuters reports that the victims appear to include Florida's state court service as well as universities in Hungary and Slovakia, and in the United States, both the Georgia Institute of Technology in Atlanta and Rice University in Houston.
Paul Flemming, director of the Public Information Office for the Florida Supreme Court, confirmed to Reuters that some systems used to administer aspects of the network had been hit, but that "Florida Supreme Court's network and data are secure."
Defenses and Recovery
On the defensive front, experts recommend proactively blocking IP addresses from which ESXiArgs scans have been originating - in search of vulnerable systems - immediately, not least to buy time for teams attempting to get systems patched. Glasgow-based threat intelligence and cyber deception firm Lupovis has published a list of seven IP addresses from which the majority of scanning activity appears to be originating, and it says scanning activity has surged in recent days.
Victims that get hit by the ESXiArgs campaign have been able to recover some virtual machines. To help victims, CISA has released a GitHub script that can be used to automatically recover at least some infected virtual machines.
We released an ESXiArgs ransomware recovery script on GitHub to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks: https://t.co/cXpP1m03yw #StopRansomware— Cybersecurity and Infrastructure Security Agency (@CISAgov) February 7, 2023
Organizations using unpatched VMware ESXi Servers should immediately isolate those servers and review them for signs of attack, CERT-FR recommends. Patching will not safeguard systems that have already been compromised, it warns, since attackers may have already installed malicious code set to later execute.
For unpatched servers, France's CERT "strongly recommends" that instead of just patching, IT teams completely reinstall the hypervisor, using a currently supported version - ESXi 7.x or ESXi 8.x - and apply all security updates, as well as rapidly install future security updates and disable unnecessary services, including SLP, when possible.
Other CERT-FR recommendations include blocking access to administrator-level services. Options include using a dedicated firewall that restricts access to trusted IP addresses, as well as securing all remote access via VPN.
The Problem With Hypervisor Patching
VMware has been urging users to fix the targeted flaw since it released a patch in February 2021. In May 2021, security researcher Johnny Yu released proof-of-concept code for exploiting the flaw.
Since then, why have so many organizations failed to patch it?
"Hypervisors are often hard to patch and therefore, a high-friction job, which makes teams less likely to patch them," says Bellekens. "Hopefully this vulnerability and its impact will incentivize vendors to address patching, updates and upgrade difficulties."
Until then, upgrading hypervisors is typically not for the faint of heart, especially where production systems might be involved, says Ian Thornton-Trump, CISO of London-based threat-intelligence firm Cyjax. "To me, it's like trying to upgrade an application server OS while in production and potentially blowing up all the things," he says.
Numerous factors lead IT teams to avoid having to deal with the care and feeding of hypervisors, says Daniel Card, a cyber specialist at London-based Xservus Limited. "It's very easy to deploy a virtualized environment but when it comes to updates, it is a pain," he says. "Also it's very easy to not do that, because of constraints involving time, money and skills."
Given such challenges, Thornton-Trump says hypervisors remain ripe for outsourcing. "For folks that have moved beyond 'VM' and embraced infrastructure as a service, like SQL as a service or other database technologies in third-party clouds, the hypervisor defenses fall into the category of a 'someone else's problem' and not your IT or security delivery team's," he says. "It seems to be more cost-effective and perhaps even more robust if downtime - even anticipated downtime - costs are large."