On Wednesday, the FBI and CISA released a script to help organizations affected by a ransomware attack that targeted VMWare ESXi servers worldwide. It was discovered that the malware had evolved, making earlier recovery procedures ineffective. The attack was aimed at ESXi bare metal hypervisors running older versions of the software or those that have not been patched. The ransomware encrypts configuration files, making them unusable and a ransom note was issued asking for around $23,000 in bitcoin. The script released by CISA and the FBI does not delete the affected configuration files, but instead attempts to create new ones. It is not a guaranteed way to avoid the ransom demands and does not fix the root vulnerability that allowed the attack to happen. After running the script, organizations should update their servers to the latest versions, disable the Service Location Protocol service and cut the ESXi hypervisors off from the public Internet before reinitializing systems. Reports then surfaced that a new version of the ransomware was infecting servers and making prior recovery methods ineffective. To prevent further attacks, CISA and the FBI issued a list of steps to be taken, such as maintaining regular and robust offline backups, restricting known malware vectors and requiring a high level of internal security.
This Cyber News was published on www.networkworld.com. Publication date: Thu, 09 Feb 2023 17:04:03 +0000