Hackers Target Over 3800 Servers with ESXiArgs Ransomware and Make Improvements to the Malware

Recent developments in the ESXiArgs ransomware attacks have been uncovered, including the encryption method used by the hackers, the victims, and the vulnerability exploited. The US Cybersecurity and Infrastructure Security Agency released an open source tool to help some victims recover their files without paying a ransom, and the FBI and CISA released a document with recovery guidance. It is estimated that over 3,800 servers have been compromised in the attacks, with 1,600-1,800 of them being identified by Shodan and Censys search engines. Reuters has reported that the victims include Florida's Supreme Court and universities in the US and Europe. The malware deployed in the attacks has been found to target files associated with virtual machines, mainly configuration files, but not the flat files that store data, allowing some users to recover their data. The tool released by the US government reconstructs the encrypted configuration files based on the unencrypted flat files. It has been reported that some victims have been targeted with a new version of the ESXiArgs malware, which encrypts more data, making it impossible to restore the files. It is believed that the attacks leverage CVE-2021-21974 for initial access, a high-severity remote code execution vulnerability in VMware ESXi that was patched in February 2021. However, there is no evidence of a zero-day vulnerability being used. Threat intelligence company GreyNoise has suggested that other OpenSLP-related vulnerabilities, such as CVE-2020-3992 and CVE-2019-5544, could have been exploited in the attacks. Data collected by cloud security company Wiz showed that 12% of ESXi servers were unpatched against CVE-2021-21974 and vulnerable to attacks. The ransomware is believed to be based on Babuk source code that was leaked in 2021, and due to the low ransom demand and widespread targeting, it is thought that the campaign is not linked to any known ransomware groups.

This Cyber News was published on www.securityweek.com. Publication date: Thu, 09 Feb 2023 12:59:02 +0000