ESXiArgs ransomware assaults have recently affected hundreds of different systems, but it’s still not known which vulnerability is being used. The number of ESXiArgs ransomware assaults has increased recently, but it’s still unclear exactly which vulnerability threat actors are utilizing.
In reality, there are still unanswered concerns regarding a number of components of these attacks, such as their possible perpetrators and the origins of the software the hackers used to deliver them.
In ESXiArgs attacks, a mysterious threat organization has been infecting VMware ESXi servers with ransomware, encrypting files, and dropping ransom notes demanding payment from the victims. Although victims are also informed in the ransom letters that their files have been stolen, experts have not discovered any proof of data loss.
Between 1,000 and 2,000 infected ESXi hosts are currently visible on the Censys and Shodan search engines. The fact that the ransom notes left on each compromised system are directly available via the internet allows for the calculation of the number of compromised systems.
As of February 8, the US Cybersecurity and Infrastructure Security Agency (CISA) reported finding 3,800 infected systems; however, this figure has probably increased considerably over the previous week.
On February 11–12, Censys recorded more than 500 newly infected hosts, mainly in European nations like France and Germany. Censys noted this increase in attacks on Wednesday.
Censys’ investigation identified two servers that were home to ransom letters resembling those used in the ESXiArgs attacks of October 2022. Similar but different were the notes that were given out in October 2022. On January 31, 2023, hackers updated the two servers with a ransom letter that was more in line with the current campaign.
Launching ESXiArgs Attacks And Enhancing The Malware
ESXi servers have been the subject of ransomware attacks utilizing Cheerscrypt, a Linux-based malware, since the spring of 2022, and it’s important to notice that the ransom letters are similar to those delivered in those assaults. Babuk source code that was leaked was used as the foundation for Cheerscrypt.
While the attacks that occurred in October 2022 may have been a result of a Cheerscrypt campaign, Censys pointed out that, unlike in the case of ESXiArgs attacks, Cheerscrypt ransom letters were often inaccessible from the internet. Because of this, Censys thinks the attacks in October 2022 may have been a forerunner to the current campaign.
On February 2, the first ESXiArgs ransomware attacks were observed, and the first alerts were released the following day. Although it has been widely thought that the ESXiArgs attacks have taken use of the CVE-2021-21974 ESXi OpenSLP-related vulnerability that VMware patched in February 2021, this has not yet been verified.
GreyNoise, a provider of threat data, stated last week that there is insufficient proof that CVE-2021-21974 is the only vulnerability being used. It was noted that CVE-2020-3992 and CVE-2019-5544, two OpenSLP-related vulnerabilities discovered in ESXi recently, might have all been used in the ESXiArgs attacks.
GreyNoise reported on Tuesday that it had investigated its archives for evidence of earlier CVE-2021-21974 exploitation attempts and had discovered two between January and June 2021, albeit the source IPs had only been active for one day each.
VMware has also stated that while it cannot validate the specific vulnerability being used, it does not seem to be Zero-day.
In a document concentrating on ESXiArgs, the virtualization giant stated, “VMware presently has no information to support that a new vulnerability is being utilized. Which is to propagate recent ransomware attacks, but there is also no proof that CVE-2021-21974 is the only attack vector, either.”
The participation of CVE-2022-31699, CVE-2021-21995, CVE-2021-21974, CVE-2020-3992, and CVE-2019-5544 has been the subject of media speculation, although it is quite possible that the attackers are utilizing any vulnerability that is available to them. VMware said that it was still looking into the matter.
Attackers keep launching ESXiArgs attacks and enhancing the malware at the same time. Some customers were able to restore their files without paying a ransom since early versions of the software left some files unencrypted. CISA even made a recovery tool available as an open source to aid affected firms.
However, more data is encrypted by more recent viruses, and since researchers haven’t yet discovered a flaw in the encryption algorithm itself, retrieving the files becomes impossible—at least for the time being.
Over the past few years, ESXi server malware has become more prevalent. Alphv, LockBit, and Black Basta were among the ransomware attacks that targeted ESXi between 2021 and 2022, according to a recent analysis by threat intelligence firm Recorded Future.
Conclusion
According to information gathered by a security research company, more than 500 European enterprises have recently become new targets for the ESXiArgs ransomware. Mark Ellzey and Emily Austin, researchers at Censys, have been updating a daily dashboard that monitors the growth of the ransomware campaign since it started causing alarms around the world earlier this month. Austin and Ellzey said that they had seen little over 500 hosts that have recently acquired the ESXiArgs infection within the past few days.
Two hundred seventeen new instances were reported in France, compared to 137 in Germany, 28 in the Netherlands, 23 in the United Kingdom, and 19 in Ukraine. The investigation also revealed that the first infections occurred on October 12, 2022, which is much earlier than February 2, 2023, the start date of the ransomware warnings issued by European cybersecurity agencies. According to Ellzey and Austin, “during examination, we uncovered two hosts with remarkably similar ransom notes dating back to mid-October 2022, shortlafter ESXi versions 6.5 and 6.7 reached end of life.”
