Feb 11, 2023 is a date that is sure to be remembered in the world of cybersecurity. On this day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks. Little did they know that the threat actors would bounce back with an updated version that encrypts more data. The new variant was reported by a system administrator on an online forum, where it was noted that files larger than 128MB will have 50% of their data encrypted, making the recovery process more challenging.
Another key change is the removal of the Bitcoin address from the ransom note, with the attackers now urging victims to contact them on Tox to obtain the wallet information. Censys believes this is because the threat actors \”realized that researchers were tracking their payments, and they may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent.\”
Statistics shared by the crowdsourced platform Ransomwhere reveal that as many as 1,252 servers have been infected by the new version of ESXiArgs as of February 9, 2023, of which 1,168 are reinfections. Since the start of the ransomware outbreak in early February, over 3,800 unique hosts have been compromised.
The ransomware is based on the Babuk locker, which had its source code leaked in September 2021. But a crucial aspect that differentiates it from other ransomware families is the absence of a data leak site, indicating that it’s not running on a ransomware-as-a-service (RaaS) model. Ransoms are set at just over two bitcoins (US $47,000), and victims are given three days to pay.
While it was initially suspected that the intrusions involved the abuse of a two-year-old, now-patched OpenSLP bug in VMware ESXi (CVE-2021-21974), compromises have been reported in devices that have had the network discovery protocol disabled. VMware has since said that it has found no evidence to suggest that a zero-day vulnerability in its software is being used to propagate the ransomware. This indicates that the threat actors behind the activity may be leveraging several known vulnerabilities in ESXi to their advantage, making it imperative that users move quickly to update to the latest version.
The attacks have yet to be attributed to a known threat actor or group, and Cybersecurity company Rapid7 said it found 18,581 internet-facing ESXi servers that are vulnerable to CVE-2021-21974.
It is clear that all organizations must take steps to ensure their endpoints are secure and up-to-date. Patches must be implemented quickly after they are released, and multiple lines of defense must be employed. Cyber attackers continue to plague organizations via death by a thousand cuts, and the ESXiArgs ransomware is a prime example of why this is the case.
Key Points:
• On February 11, 2023, CISA released a decryptor for victims of ESXiArgs ransomware attacks.
• Threat actors have bounced back with an updated version that encrypts more data, including files larger than 128MB.
• Statistics show that over 3,800 unique hosts have been compromised since the start of the ransomware outbreak.
• The ransomware is based on the Babuk locker, and is not running on a ransomware-as-a-service (RaaS) model.
• It is believed that the threat actors are leveraging several known vulnerabilities in ESXi, making it imperative that users update to the latest version.
• Organizations must take steps to ensure their endpoints are secure and up-to-date, implementing patches quickly and employing multiple lines of defense.