ESXi ransomware havoc targeting European countries

Developed European countries, including France, Netherlands, and Ukraine, are hit by new ransomware, ESXiArgs.

The surface management firm Censys found the intruders affecting more than 500 hosts. Researchers found that the hacker group dropped similar ransom notes on two hosts dating back to October 12, 2022. 

Then, on January 31, the notes were updated and used in the February campaign.

🚨Don't fall victim to ESXiArgs ransomware. @CISAgov & @FBI are tracking new variants.

1️⃣ Update VMware ESXi
2️⃣ Disable SLP service
3️⃣ Ensure ESXi hypervisor is not exposed to public internet

Review the full #cybersecurity advisory for more. https://t.co/uowp85bfNn pic.twitter.com/UGw1qvnIk4

— CISA Cyber (@CISACyber) February 9, 2023

Understanding the prodigy

ESXi is a hypervisor, a virtualization platform that works directly on the host hardware. Typically, it runs multiple virtual machines on a single server.

Ransomware encrypts files and documents to steal money, which can be in any form, including crypto, fraudulent money transfer, or mobile transfers.

If ESXi is affected by ransomware, it will affect all connected devices. If the hacker takes the server, it can be inaccessible to all other devices or be involved.

Is ESXi accessible to the target

Like any other software, ESXi is easy to target once there is a mastermind behind it. Some of the lackings in ESXi which might cause such attacks are:

• The management interface of the ESXi host allows administrators to manage the virtual machines and the ESXi server itself. If an attacker gains access to the management interface, they may be able to execute commands, modify settings, or even take control of the entire ESXi server.
• Another potential vulnerability is outdated software or unpatched security vulnerabilities. If the ESXi host is not regularly updated with the latest security patches, it may be vulnerable to known attacks that an attacker can execute efficiently.

The widespread use of ESXi in enterprise environments may make it a target for attackers, as compromising an ESXi host could give them access to many virtual machines and sensitive data.

Is there any workaround available?

The general recommendations are:

• Run supported versions of VMware software.
• Stay updated on the latest releases of VMware software promptly.
• Use the vSphere Security Configuration Guides to harden environments.
• Tightly control access to IT infrastructure management interfaces (not just vSphere).
• Use multifactor authentication and good authorization practices.
• Subscribe to the VMware Security Advisory mailing lists for proactive notification of issues.

Also, if you are relying on VMware, there is a need to get their professional advice regarding this issue.

Concluding remarks

A robust security analysis is a factor we must always consider while running an organization. But coming out of the status quo is very important regarding security. 

VMware has not issued any advisory regarding this ransomware; the fact is that malware cannot exploit new vulnerabilities. This makes it clear that updating your software is the foremost step when talking about cyber security.