Several thousand computer servers running VMWare are currently targeted by a ransomware campaign. A type of attack that we are likely to hear about more and more often.
On Sunday February 5, 2023, the Italian cybersecurity agency informed its international counterparts that thousands of computer servers are currently the target of a wave of attacks on a very large scale. hackers exploit a known flaw in the VMWare software for which a patch was released in February 2021, but which probably not all network administrators have installed. They thus take advantage of a weakness of the ESXi functionality offered by the virtualization tool.
To read – Ransomware: hackers paralyze a French hospital and demand 10 million euros
CERT-FR revealed the existence of a massive ransomware campaign. The latter currently targets servers using ESXi from VMWare, a virtualized hypervisor for embedded systems. Hackers would use these machines to install ransomware called ESXiArgs. Although VMWare editors have long been aware of this flaw listed under CVE-2021-21974and they have released the appropriate security update, many network administrators and hosts have not undertaken the appropriate updates. VMware recommends that its customers update their software.
Nearly 3200 servers worldwide have already been locked by this ransomware
According to the Italian authorities, servers would have been compromised in Italy, but also in France, in Finland, the United States and Canada and several dozen organizations could find themselves “ejected” from their own systems. The US Cyber and Infrastructure Security Agency is assessing the extent of the damage caused by ESXiArgs. Many Italian Internet users say they had trouble connecting this Sunday, but according to the authorities, these cuts have no connection with the ransomware campaign.
ESXiArgs encrypts certain files on compromised ESXi servers and creates a ransom note in a text or HTML file. If, unfortunately, you are affected by this malware, you should inform the law enforcement authorities. According to Bleeping Computer, “All admins should check for the existence of a vmtools.py file and make sure to delete it immediately if necessary”.
Source : Bleeping Computer