Ransomware Attack on Thousands of VMware ESXi Servers

February 14, 2024

INCIDENT

A vast ransomware infection campaign hits VMware ESXi servers around the world on February 3. The scale suggests an automated operation.

Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy a new ESXiArgs ransomware. Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.

While the threat actors behind this attack claim to have stolen data, one victim reported in the BleepingComputer forums that it was not the case in their incident. Victims have also found ransom notes named "ransom.html" and "How to Restore Your Files.html" on locked systems. Others said that their notes are plaintext files.

Incident Date

February 3, 2023

Location

Global

Estimated Cost


No cost values disclosed.

Victims

No victims identified

Type of Malware

No Malware identified