Pierluigi Paganini February 06, 2023

ESXi ransomware targeted thousands of VMware servers in a global-scale campaign, security experts and international CERTs warn.

Thousands of computer servers have been targeted by a global ransomware hacking attack targeting VMware (VMW.N) ESXi servers.

ESXi is VMware’s hypervisor, a technology that allows organizations to host several virtualized computers running multiple operating systems on a single physical server. The Computer Emergency Response Team of France (CERT-FR) was the first to notice and send an alert about the attack. Italy’s National Cybersecurity Agency (ACN) and Cyber Security Agency of Singapore have also issued warnings for organizations to take immediate action to protect their systems.

Notably, this promptly comes after the publication of a report about the Nevada Ransomware group uncovered by Resecurity last week, which released a modified locker supporting ESXi as well. Resecurity released an extensive report on ransomware, as well as described the affiliate network managed by the actors.

The ​French cloud provider OVHcloud also published a report linking this massive wave of attacks targeting VMware ESXi servers to the Nevada ransomware operation: “According to experts from the ecosystem as well as authorities, they might be related to Nevada ransomware and using CVE-2021-21974. Investigations are still ongoing to confirm those assumptions,” OVHcloud CISO Julien Levrard said. “The attack is primarily targeting ESXi servers in versions before 7.0 U3i, apparently through the OpenSLP port (427).”

Resecurity has noted that the Nevada Ransomware group has multiple affiliates which could essentially be utilizing a customized version of the locker or its modifications generating different extensions. For example, in some of the episodes of the same campaign, the ransomware encrypts files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on compromised ESXi servers, then creates a .args file for each encrypted document with metadata (likely needed for decryption) – that’s why the researchers called it ESXiArgs Ransomware.

Notably, this weekend had three Ransomware actors rise targeting ESXi and Linux – Royal, Nevada and ESXiArgs.

The attack exploits a heap-overflow vulnerability in VMware ESXi and is tracked as CVE-2021-21974 which was patched in February 2021. The vulnerability affects the Service Location Protocol service and allows an attacker to remotely exploit arbitrary code. VMware designated the vulnerability as “critical,” meaning it could be used by attackers to remotely execute any code they wanted on a vulnerable system and take full control of it.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ESXi ransomware)