VMware ESXi hypervisors have become crucial for any organizational infrastructure, which has piqued the interest of cybercriminals in it. Researchers at Censys disclosed the increase in ransomware attacks aimed at VMware ESXi instances as ESXiArgs ransomware enters Europe. Meanwhile Recorded Future's report peeks behind the recent ransomware outbreak that affected thousands of servers.
Latest findings
Attack surface management firm Censys disclosed that the ESXiArgs ransomware strain has affected over 500 systems.
A majority of them are located in France, the Netherlands, Germany, the U.K, and Ukraine.
Researchers found that the same hacker group dropped eerily similar ransom notes on two hosts that date back to October 12, 2022.
Then, on January 31, the notes were updated and used in the February campaign.
Glimpse into the recent past
ESXiArgs ransomware, in its campaign, was discovered abusing a two-year-old RCE bug (CVE-2021-21974) and compromised 3,200 servers across the world.
According to experts, ESXiArgs may be based on the leaked source code of Babuk ransomware, which is similar to other ESXi ransomware campaigns like CheersCrypt and the encryptor used by the Quantum/Dagon group, known as PrideLocker.
Following the massive volume and scale of attacks, the CISA released a decryptor for the victims to recover their data without paying a ransom. However, ESXiArgs came back stronger with a new variant of its ransomware that encrypts more data.
As of February 09, this new strain has infected 1,252 servers, of which 1,168 are reinfections.
Ransomware groups targeting Vmware
In 2020, only two instances of ransomware attacks targeting ESXi were discovered, but this number increased significantly in 2021, with over 400 incidents identified. The number continued to grow rapidly, reaching 1,118 in 2022.
Several groups, including ALPHV, LockBit, and BlackBasta, were observed offering ransomware payloads, with Royal Ransomware and ESXiArgs as the latest ones to join this trend.
The malicious tools that target ESXi primarily exploit native commands to carry out their actions, making it challenging to distinguish them from regular system administrator activity.
Why this matters
As virtualization continues to gain popularity, vulnerabilities are also on the rise.
However, compared to Windows, ESXi does not have the same level of protection and defense mechanisms in place.
While there are numerous antivirus and endpoint detection and response tools available for Windows, there are relatively few such products for hypervisors like ESXi, with many still in the early stages of development.
Furthermore, threat-hunting commands in ESXi are often similar to regular system administrator operations, which can make it challenging to differentiate between legitimate and malicious activity.
The bottom line
Experts state that the threat of ransomware aimed at VMware ESXi remains persistent and can jeopardize organizations, leading to operational disruptions, competitive disadvantage, and reputational damage. Hence, while adopting virtualized infrastructure is still advisable, it's crucial to enforce robust security measures and take similar precautions as those employed in the current infrastructure.