Several governmental organisations and researchers report that an international ransomware attack targeting VMware ESXi hypervisors is expanding after infecting thousands of targets.
More than 3,200 servers in Canada, France, Finland, Germany, and the US have already been affected by the attack, which was originally detected late on February 3 by the French Computer Emergency Response Team (CERT-FR), according to Censys tracking.
An exploit for the Open Service Location Protocol (OpenSLP) service of the hypervisor's two-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974) serves as the point of compromise.
According to a Feb. 5 notification from French hosting company OVHcloud, which has clients hit by the attacks, the attack's purpose appears to be the installation of a novel ransomware strain called "ESXiArgs," albeit the gang behind it is unclear.
The alert states, "we [previously] made the assumption the attack was linked to the Nevada ransomware which was a mistake," according to the alert. "No material can lead us to attribute this attack to any group. Attribution is never easy and we leave security researchers to make their own conclusions."
According to a copy of the ransom note published by a Dark Web monitor known as DarkFeed, the attackers are demanding about 2 Bitcoin ($23,000 at press time) to be delivered within three days of compromise; if the victims don't pay up, the ransom will increase and the gang will release sensitive data, they warned. Rapid7, a cybersecurity company, found in a study that there has been no proof of actual data exfiltration to yet.
In contrast, the encryption procedure appears to be the main objective, and it is primarily aimed at virtual machine files (.vmdk,.vmx,.vmxf,.vmsd,.vmsn,.vswp,.vmss,.nvram, and *.vmem), according to the firm's evaluation. "In some circumstances, file encryption may only partially succeed, enabling the victim to recover data."
VMX, or Virtual Machine Executable, is a process that runs in the VMkernel and performs I/O requests; also, "the malware tries to shut down virtual machines by destroying the VMX process to unlock the files," according to Rapid7. The alert further stated that "this function is not consistently functioning as planned, resulting in files remaining locked."
Administrators should apply patches right away to protect themselves from cyberattacks. As a workaround, the CERT-FR alert advises that "the SLP can be disabled on any ESXi servers that haven't been updated, in order to further mitigate the risk of compromise."
Additionally, according to a warning issued over the weekend by Singapore's SingCERT, "users and administrators are also encouraged to check if the ransomware campaign-targeted port 427 can be stopped without impacting operations."
Cybercriminals continue to target VMware; just last week, exploit code for further RCE issues that were present in the product line of the virtualization expert was discovered.