More than 500 European organizations have been hit with the ESXiArgs ransomware attacks over a few past days, according to a new report from attack surface management firm Censys.
Most of the targets are located in France (217), Germany (137), the Netherlands (28), the UK (23), and Ukraine (19).
First reported at the beginning of February, the ESXiArgs ransomware has hit more than 3,000 of unpatched VMware ESXi servers worldwide, including those belonging to Florida’s Supreme Court and universities in the United States and Europe.
Threat actors behind the ESXiArgs ransomware appear to be exploiting a two-year-old remote execution vulnerability affecting VMware ESXi to deploy the ESXiArgs ransomware.
Tracked as CVE-2021-21974, the flaw is a heap-based buffer overflow issue in the OpenSLP service that can be exploited by a non-authenticated hacker for remote code execution on the underlying server. The bug affects ESXi versions 7.x prior to ESXi70U1c-17325551, ESXi versions 6.7.x prior to ESXi670-202102401-SG, ESXi versions 6.5.x prior to ESXi650-202102101-SG.
Once the hackers breach an ESXi server, they encrypt files and leave a ransom note behind, asking for $50,000 in bitcoin to decrypt each infected server.
Following the ransomware onslaught the US Cybersecurity and Infrastructure Security Agency (CISA) provided a tool that allows to recover VMware ESXi servers encrypted by the ESXiArgs ransomware. However, it appears that a new ESXiArgs ransomware emerged that uses a modified encryption routine that encrypts far more data in large files, making it much harder to recover encrypted VMware ESXi servers.
Censys researchers said they found two hosts that were infected with ESXiArgs as far back as October 2022, much earlier than the ESXiArgs attacks began making headlines at the start of February 2023. On January 31, 2023, the ransom notes on the two hosts are said to have been updated with a revised version that matches the ones used in the current wave.
Some of key differences between the October note and those used in a recent ransomware waves include the use of an onion URL instead of a Tox chat ID, a Proton Mail address at the bottom of the note, and a lower ransom demand.
“Each variant of the ransom notes from October 2022 through February 2023 are strikingly similar in wording to the note of an earlier ransomware variant, Cheerscrypt, which gained notoriety in early 2022. While they may share a similar ransom note, researchers have determined that they have different encryption methods–meaning they are likely associated with different groups,” the researchers said.
Censys said they found no evidence that Cheerscrypt ransom notes were internet-facing, but rather stored on the filesystem of the compromised machine. If that’s indeed the case, then two discovered compromised servers are likely precursors to the current campaign.