Malicious hackers have hit thousands of VMware ESXi hypervisors with ransomware, exploiting a two-year-old vulnerability.

The attacks have taken place globally, including in the United States, Canada, France and Italy. VMware ESXi allows organizations to host several virtualized computers running multiple operating systems on a single physical server.

The French Computer Emergency Response Team (CERT-FR) warned that attackers were actively targeting unpatched, two-year-old remote code execution vulnerabilities with a new ESXiArgs ransomware deployment. It said the attacks began Feb. 3.

According to CERT-FR, the attacks have affected thousands of servers and the stolen data remains unknown.

VMware sent us the following statement:

“According to public reports, a ransomware variant dubbed ESXiArgs appears to be targeting end-of-general-support or significantly out-of-date products by leveraging known vulnerabilities previously addressed and disclosed in VMware security advisories (VMSAs). VMware has not found any evidence that would suggest an unknown or zero day vulnerability is being used to propagate the ransomware in the ESXiArgs attacks. The security of our customers is a top priority at VMware. And we recommend organizations upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. Additional recommendations are available in VMware’s customer blog on ESXiArgs ransomware.”

Ransomware Attacks on VMware Hypervisors May Be Slowing

Michael DeBolt is chief intelligence officer at Intel 471.

Intel 471’s Michael DeBolt

“Activity from impacted organizations seems to have decreased in active forums such as Bleeping Computer,” he said. “While this is not direct evidence of the activity stopping for good, it is a positive indicator that could signal the end of the massive deployment of ransomware via this infection vector.”

These actors are likely seeking money, DeBolt said.

“It is worth mentioning we cannot rule out that the actors also had destructive intentions, as a massive deployment in this volume, corrupting configuration files and leaving behind such a high number of impacted organizations could very well complicate any possible chance of ransom negotiation,” he said. “However, these facts could be just the result of rushing to carry out the automated attack without proper pre-attack logistics planning and the intentions of the actors were just to spread and pray (for payments to come).”

Trying to decrease the attack surface could have prevented an issue like this, DeBolt said. Those include not exposing services to the internet and keeping software up to date.

Typical Motives Are Extortion, Malicious Interference

Mike Parkin is senior technical engineer at Vulcan Cyber.

Vulcan Cyber’s Mike Parkin

“I have no visibility into the target areas,” he said. “However, it is likely that unless the threat actors have been conclusively blocked, the attacks will continue until they are. There’s not information publicly available to identify a threat actor or a possible motive, though the typical motives are going to be some form of criminal extortion or malicious interference.”

Organizations should always be keeping up with recommended patches and following industry best practices when they deploy, Parkin said. That’s just proper basic security hygiene and can prevent a range of attacks.

Lack of Patching Gives Cybercriminals an Opening

Jan Lovmand is CTO of BullWall, a ransomware containment provider. He said VMware has made the patch available since February 2021.

BullWall’s Jan Lovmand

“And this just goes to show how long it takes many organizations to get around to patch internal systems and applications, which is just one of many reasons why the criminals keep finding their way in,” he said.

The criminals just need to find one hole they can exploit, either systems or humans, Lovmand said.

“The attack surface is big and preventative security solutions can be bypassed in a scenario like this if the vulnerability has not been patched,” he said. “It’s 50-50 odds that your company will be successfully hit with ransomware in 2023. Security solutions cannot protect unpatched networks. This is a turning point for our fight on ransomware.”