Italy, France and Singapore Warn of a Spike in ESXI Ransomware

ESXi ransomware targeted thousands of VMware servers in a global-scale campaign, security experts and international CERTs warn.

Thousands of computer servers have been targeted by a global ransomware hacking attack targeting VMware (VMW.N) ESXi servers.

ESXi is VMware’s hypervisor, a technology that allows organizations to host several virtualized computers running multiple operating systems on a single physical server. The Computer Emergency Response Team of France (CERT-FR) was the first to notice and send an alert about the attack. Italy’s National Cybersecurity Agency (ACN) and Cyber Security Agency of Singapore have also issued warnings for organizations to take immediate action to protect their systems.

Notably, this promptly comes after the publication of a report about the Nevada Ransomware group uncovered by Resecurity last week, which released a modified locker supporting ESXi as well. Resecurity released an extensive report on ransomware, as well as described the affiliate network managed by the actors.

The French cloud provider OVHcloud also published a report linking this massive wave of attacks targeting VMware ESXi servers to the Nevada ransomware operation: “According to experts from the ecosystem as well as authorities, they might be related to Nevada ransomware and using CVE-2021-21974. Investigations are still ongoing to confirm those assumptions,” OVHcloud CISO Julien Levrard said. “The attack is primarily targeting ESXi servers in versions before 7.0 U3i, apparently through the OpenSLP port (427).”

Resecurity has noted that the Nevada Ransomware group has multiple affiliates which could essentially be utilizing a customized version of the locker or its modifications generating different extensions. For example, in some of the episodes of the same campaign, the ransomware encrypts files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on compromised ESXi servers, then creates a .args file for each encrypted document with metadata (likely needed for decryption) – that’s why the researchers called it ESXiArgs Ransomware.

Notably, this weekend had three Ransomware actors rise targeting ESXi and Linux – Royal, Nevada and ESXiArgs.

The attack exploits a heap-overflow vulnerability in VMware ESXi and is tracked as CVE-2021-21974 which was patched in February 2021. The vulnerability affects the Service Location Protocol service and allows an attacker to remotely exploit arbitrary code. VMware designated the vulnerability as “critical,” meaning it could be used by attackers to remotely execute any code they wanted on a vulnerable system and take full control of it.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ESXi ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.