CyberSecurityBoard
Sponsor Register Login

No Proof of Unpatched Vulnerabilities Being Used in ESXiArgs Ransomware Assaults VMware

VMware has warned customers to take action as unpatched ESXi servers are being targeted by ESXiArgs ransomware attacks. Hackers are exploiting CVE-2021-21974, a high-severity ESXi remote code execution vulnerability related to OpenSLP that was patched by VMware in February 2021. After successful exploitation, unidentified threat actors have deployed file-encrypting ransomware that targets virtual machines. Although technical details and a proof-of-concept exploit for CVE-2021-21974 have been available for almost two years, there is no evidence that in-the-wild exploitation has been observed until now. VMware stated in a blog post that there is no indication that the attacks involve exploitation of a zero-day vulnerability. Most reports suggest that End of General Support and/or significantly out-of-date products are being targeted with known vulnerabilities that were previously addressed and disclosed in VMware Security Advisories. The attacks are possible because many organizations are running old and unpatched software. ESXiArgs ransomware attacks seem to have started on or around February 3. As of February 7, Censys shows nearly 2,500 compromised servers and Shodan shows more than 1,600. Most of the hacked systems are located in France, followed by the United States. On compromised systems, the hackers leave a ransom note demanding roughly $50,000 in bitcoins in order to recover their files and prevent them from being leaked. The cybercriminals claim to have stolen data that they will sell unless a ransom is paid, but there is no evidence to date that files have actually been stolen in ESXiArgs attacks. The malware used in these attacks targets files associated with virtual machines. In some cases, the encryption routine can partially fail, which could allow some victims to recover their data without paying a ransom. Recovering files that have been properly encrypted seems impossible for the time being. Cyble has published a technical analysis of the malware, including information on VM configuration file modifications, file encryption, persistence, and cleanup. Government cybersecurity agencies around the world, including in the United States, have issued warnings about the ESXiArgs ransomware attacks.

This Cyber News was published on www.securityweek.com. Publication date: Tue, 07 Feb 2023 15:23:03 +0000


Cyber News related to No Proof of Unpatched Vulnerabilities Being Used in ESXiArgs Ransomware Assaults VMware

10 Best Ransomware Protection Tools - 2025 - It protects devices from ransomware and other cyber threats using advanced threat intelligence, behavioral analysis, and cloud-based technology. It monitors and prevents ransomware assaults on personal files and automatically restores encrypted ...
1 month ago Cybersecuritynews.com
Investigation of Possible Causes of ESXiArgs Ransomware Attacks Suggests VMware is Not at Fault - Edward Hawkins, the High-Profile Product Incident Response Manager at VMware, has denied allegations that two-year-old security flaws have been used in the current ESXiArgs ransomware attacks. Over the weekend, reports surfaced about cybercriminals ...
2 years ago Hackread.com CVE-2021-21974
No Proof of Unpatched Vulnerabilities Being Used in ESXiArgs Ransomware Assaults VMware - VMware has warned customers to take action as unpatched ESXi servers are being targeted by ESXiArgs ransomware attacks. Hackers are exploiting CVE-2021-21974, a high-severity ESXi remote code execution vulnerability related to OpenSLP that was ...
2 years ago Securityweek.com CVE-2021-21974
Guidance on Recovering from ESXiArgs Ransomware Released by CISA and FBI - A ransomware campaign known as ESXiArgs is currently active and malicious actors may be taking advantage of known vulnerabilities in outdated or unpatched versions of VMware ESXi software to gain access to ESXi servers and deploy the ransomware. ...
2 years ago Us-cert.cisa.gov
VMware fixes critical Cloud Director auth bypass unpatched for 2 weeks - VMware has fixed a critical authentication bypass vulnerability in Cloud Director appliance deployments, a bug that was left unpatched for over two weeks since it was disclosed on November 14th. Cloud Director is a VMware platform that enables admins ...
1 year ago Bleepingcomputer.com CVE-2023-34060
Medusa Ransomware Turning Your Files into Stone - Unit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in tactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the Medusa Blog. The Unit 42 ...
1 year ago Unit42.paloaltonetworks.com Medusa
Hive Ransomware: A Detailed Analysis - This past week, on January 26th, to be exact, the FBI successfully shut down the Hive ransomware group and saved victims over a hundred million dollars in ransom payments and remediation costs. As ransomware continues to be a national security threat ...
2 years ago Heimdalsecurity.com LockBit
Linux version of Qilin ransomware focuses on VMware ESXi - A sample of the Qilin ransomware gang's VMware ESXi encryptor has been found and it could be one of the most advanced and customizable Linux encryptors seen to date. Due to this adoption, almost all ransomware gangs have created dedicated VMware ESXi ...
1 year ago Bleepingcomputer.com Qilin
No Signs of Unpatched Vulnerabilities Discovered in ESXiArgs Ransomware Attacks - VMware reported on Monday that there is no proof that hackers are using an unknown security flaw, also known as a zero-day, in its software as part of a ransomware attack. Most reports suggest that outdated products with known vulnerabilities that ...
2 years ago Thehackernews.com CVE-2021-21974
The Top 10 Ransomware Groups of 2023 - This article takes an in-depth look at the rise in ransomware attacks over the past year and the criminal groups driving the surge in cyber extortion. LockBit has established itself as one of the most notorious ransomware operations since emerging on ...
1 year ago Securityboulevard.com TA505 8base LockBit BianLian Medusa Noescape Black Basta
CISA Provides Assistance to People Affected by ESXiArgs Ransomware - The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has created a new tool to help those affected by ESXiArgs ransomware. This open-source tool, called SXiArgs-Recover, is designed to help victims recover their virtual machines that have ...
2 years ago Hackread.com CVE-2021-21974
VMware warns admins of public exploit for vRealize RCE flaw - VMware warned customers on Monday that proof-of-concept exploit code is now available for an authentication bypass flaw in vRealize Log Insight. "Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," ...
1 year ago Bleepingcomputer.com CVE-2023-34051
Ransomware Roundup - The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants. This edition of the Ransomware Roundup covers the 8base ransomware. 8base ...
1 year ago Feeds.fortinet.com 8base
Ransomware trends and recovery strategies companies should know - Ransomware attacks can have severe consequences, causing financial losses, reputational damage, and operational disruptions. The methods used to deliver ransomware vary, including phishing emails, malicious websites, and exploiting vulnerabilities in ...
1 year ago Helpnetsecurity.com
VMWare discloses critical VCD Appliance auth bypass with no patch - VMware disclosed a critical and unpatched authentication bypass vulnerability affecting Cloud Director appliance deployments. Cloud Director enables VMware admins to manage their organizations' cloud services as part of Virtual Data Centers. The auth ...
1 year ago Bleepingcomputer.com CVE-2023-34060
A Huge Number of People Have Been Affected by the ESXiArgs Ransomware Attack - European cybersecurity authorities are warning of a large-scale attack on a two-year-old VMWare ESXi vulnerability by ransomware actors. This campaign has been named ESXiArgs because the ransomware creates an additional file with the extension. ...
2 years ago Therecord.media CVE-2021-21974
CISA Publishes Free Software to Help Restore Data Affected by ESXiArgs Ransomware - The US Cybersecurity and Infrastructure Security Agency (CISA) has created a free tool to help those affected by the ESXiArgs ransomware attacks. These attacks, first seen on February 3, exploit a high-severity vulnerability in VMware's ESXi ...
2 years ago Securityweek.com
Ransomware in 2023 recap: 5 key takeaways - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. While some ransomware trends hardly changed over the last year, such as LockBit's continued dominance, ransomware criminals also challenged ...
1 year ago Malwarebytes.com Scattered Spider LockBit
The Week in Ransomware - Today's column brings you two weeks of information on the latest ransomware attacks and research after we skipped last week's article. BleepingComputer has learned that some of the BlackCat/ALPHV affiliates are not buying the explanation and have ...
1 year ago Bleepingcomputer.com LockBit Qilin Noescape
Ransomware's Impact May Include Heart Attacks, Strokes & PTSD - First-order harms: Direct targets of ransomware attacks. The increasing convergence of IT and OT leave physical infrastructures more vulnerable to ransomware, even though most ransomware operators lack the capability to directly compromise OT or ...
1 year ago Techrepublic.com
Hackers Target Over 3800 Servers with ESXiArgs Ransomware and Make Improvements to the Malware - Recent developments in the ESXiArgs ransomware attacks have been uncovered, including the encryption method used by the hackers, the victims, and the vulnerability exploited. The US Cybersecurity and Infrastructure Security Agency released an open ...
2 years ago Securityweek.com CVE-2021-21974 CVE-2020-3992 CVE-2019-5544
Ransomware review: January 2024 - This provides the best overall picture of ransomware activity, but the true number of attacks is far higher. In February, there were 376 ransomware victims, marking an unusually active month for the historically subdued time period. February didn't ...
1 year ago Malwarebytes.com LockBit Black Basta
A New Version of ESXiArgs Ransomware Blocks VMware ESXi Restoration - Recently, a large-scale ransomware attack targeted over 3,000 VMware ESXi servers, using a new version of the ESXiArgs ransomware. It was initially thought that the devices were breached using old VMware SLP vulnerabilities, although some victims ...
2 years ago Bleepingcomputer.com
6 Ransomware Trends & Evolutions For 2023 - More than any other industry, cybersecurity is constantly changing. The number of major paradigm shifts that have transformed the world of cybersecurity in the past few years has been unprecedented, especially when it comes to combating ransomware. ...
2 years ago Trendmicro.com TeamTNT
1 1
Key Group uses leaked builders of ransomware and wipers | Securelist - The first discovered sample of Key Group, the Xorist ransomware, established persistence in the system by changing file extension associations. The .huis_bn extension added to encrypted files in the early versions of Key Group samples, Xorist and ...
5 months ago Securelist.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)