Ransomware, Breach, Content, Content

ESXiArgs Ransomware Has Spread to 500 New Targets in Europe. Will there be More?


A second surge in ransomware attacks on systems running VMware ESXi has hit organizations in Western Europe recently. However, the identity of the perpetrators remains unclear, and there are no additional details about the malware being delivered.

Security researchers at Censys have discovered some 500 hosts newly infected with the ESXiArgs ransomware, most of which have again hit targets in France, Germany, the Netherlands and the U.K. France had 217 new incidents, while 137 appeared in Germany, 28 in the Netherlands, 23 in the U.K. and 19 in Ukraine, Censys said. Exactly how and why each victim was chosen by the hackers remains unclear.

Ransomware Behavior Unusual

The ransomware variant is unusual in that it only targets hosts running VMware ESXi, which is VMware’s hypervisor that enables organizations to run several virtual machines on one host computer and share memory, processing and other resources. The hackers reportedly went after VMware ESXi servers left unpatched against a remotely exploitable bug from 2021.

CyberCube, a cyber risk analytics company, found cyber criminals could target up to 70,000 outdated VMware ESXi servers as part of the ransomware campaign.

Ringing the Alarm Bell

According to Censys, the first infections date to mid-October of last year, roughly three and a half months before European cybersecurity authorities sounded alarm bells about the malware. Censys researchers suggested that the hackers may have engaged in a test run of the malware prior to an all-out onslaught.

As Censys researchers reported:

"During analysis, we discovered two hosts with strikingly similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life. Prior to widely ramping up a campaign, threat actors often ‘test’ their methods on a select few hosts, so we were hoping to understand more about the earlier stages of these attacks.”

In a February 16 ransom note, the hackers warned victims to meet their demands within three days or they would “expose some data and raise the price.” The extortionists also told victims not to try to decrypt “important files” and not to trust anyone “who can decrypt, they are liars, no one can decrypt without key file.”

In a double extortion threat, hackers said, “If you don’t send bitcoins, we will notify your customers of the data breach by email and text sell your data to opponents and criminals, data may be made release.”

Ransomware Attacks on the Rise

The spike in ESXi attacks coincides with a rise in ransomware assaults in the pasts 12 months. Some 20% of all reported ransomware attacks occurred in the past year, with six in 10 springing from phishing expeditions, security provider Hornetsecurity, a cloud email security and backup provider, said.

The study, which gleaned data from a survey of 2,000 IT professionals, also found that many businesses may not be helping themselves by not pushing back enough on the hackers, declining the FBI’s advice not to pay ransoms. According to Hornet’s data, roughly 7% paid the ransom and 14% lost data, proving an incentive for extortionists to attack harder and raise the stakes.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.