Mass VMware ESXi ransomware attacks target servers globally

Recently, businesses worldwide have reported a surge in VMware ESXi ransomware attacks, which are malicious attacks that target virtualized environments. These attacks have caused widespread disruption and financial losses for many organizations.

What is VMware ESXi?

VMware ESXi is a popular virtualization platform that allows businesses to run multiple virtual machines on a single physical server. Organizations widely use this platform to manage and consolidate their IT infrastructure. However, the growing popularity of VMware ESXi has also made it an attractive target for ransomware attacks.

🌐 A new #ransomware attack is spreading like crazy 🚨

Many VMware ESXi servers got encrypted in the last hours with this ransom note 🧐

What's interesting is that the bitcoin wallet is different in every ransom note. No website for the group, only TOX id 👀 pic.twitter.com/mgyoLxbXvg

— DarkFeed (@ido_cohen2) February 3, 2023

How does it work? 

In a typical VMware ESXi ransomware attack, attackers gain access to the virtual environment and encrypt the data stored on virtual machines. They then demand a ransom payment in exchange for the decryption of the data. 

The worst part is that in many cases the attackers have also deleted backup files, making it even more difficult for organizations to recover their data.

Plus, the rise in VMware ESXi ransomware attacks has caused alarm among businesses, and experts warn that this trend will likely continue. 

Many organizations need to implement adequate security measures to protect their virtual environments. This includes updating software, applying patches, and using anti-virus and anti-malware software.

CVE-2021-21974 vulnerabilities

CVE-2021-21974 is a security vulnerability in the VMware ESXi virtualization platform. This vulnerability was discovered and reported by the VMware security team and was assigned the CVE identifier CVE-2021-21974.

The vulnerability could allow an attacker to execute arbitrary code with elevated privileges on a vulnerable system. This could allow an attacker to control the affected system completely and steal sensitive information, install malware, or cause other damage.

The #ESXi mass exploitations is almost 100% NOT: CVE-2021-21974

CVE-2021-21974 attacks SLP on TCP 427.

The affected hosts DO NOT have this exposed based on shodan scans. I'll look at some port scan data to double check this but @shodan does scan this port and see below #vmware pic.twitter.com/ifS7nOlOdS

— mRr3b00t (@UK_Daniel_Card) February 4, 2023

Using security patches is a quick solution 

VMware has released a patch to address this vulnerability, and it is recommended that organizations apply the patch as soon as possible to prevent potential attacks. 

Plus, organizations should ensure that their virtual environments are properly secured, including implementing multi-factor authentication, limiting access to trusted users, and regularly updating software and applying patches.

Can We Tackle VMware ransomware? 

To mitigate the risk of VMware ESXi ransomware attacks, businesses need to take proactive measures to secure their virtual environments. 

This includes regular software updates, backups, and security scans. In addition, companies should implement multi-factor authentication and limit access to the virtual environment to only trusted users.

The bottom line is that VMware ESXi ransomware attacks are a growing business threat and can result in significant financial losses and disruption. Organizations need to take proactive measures to secure their virtual environments to prevent such attacks, including regular software updates, backups, and security scans. 

By taking these steps, businesses can reduce the risk of VMware ESXi ransomware attacks and ensure the security of their virtualized environments.