The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint warning about an ongoing ransomware campaign targeting outdated versions of the VMware ESXi hypervisor for virtual machines. CISA estimates that 3,800 ESXi servers have been compromised worldwide, potentially making the VMs running from the ESXi server unusable. Microsoft has also reported that they are tracking 100 active ransomware gangs using 50 different types of malware. VMware has advised enterprises to update their ESXi servers to the latest supported version of the hypervisor and to disable the Service Location Protocol (SLP) service. Patches have been released to address the critical bug CVE-2021-21974, which affects the SLP component in ESXi. The ESXiArgs ransomware has been targeting servers in Europe since February 3 and has since spread to North America. France's computer emergency response team has suggested that organizations should isolate affected servers, reinstall a supported version of ESXi 7.x or ESXi 8.x, and apply any patches. CISA and FBI have urged those with VMware ESXi servers to update them to the latest version, harden ESXi hypervisors by disabling the SLP service, and ensure the ESXi hypervisor is not exposed to the public internet. CISA has also released a recovery script on its GitHub account which can reconstruct VM metadata from unencrypted virtual disks. This script does not delete the encrypted configuration files, but instead creates new configuration files that enable access to the VMs. CISA has warned that organizations should review the script to make sure it is suitable for their environment before deploying it, and that CISA does not assume any liability for damage caused by the script.
This Cyber News was published on www.zdnet.com. Publication date: Thu, 09 Feb 2023 12:58:03 +0000