IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Warning issued over ransomware attacks targeting VMware ESXi servers globally

Businesses have been urged to patch the two-year-old vulnerability amidst heightened ransomware threats

Hundreds of organisations worldwide have been targeted by a hacking campaign exploiting VMware’s ESXi servers to deploy the new ESXiArgs ransomware variant.

French and Italian cyber security agencies issued an urgent warning last week after attackers were found to be actively targeting servers left unpatched against a two-year-old remote code execution (RCE) vulnerability.  

Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service and can enable an attacker to remotely execute arbitrary code.  

VMware confirmed it is aware of exploit reports, adding that it issued a patch in February 2021 upon discovery of the vulnerability. However, the vendor urged customers to immediately apply the patch if the ESXi hypervisor has not yet been updated.  

Widespread exploitation 

Analysis from ransomware monitoring service Darkfeed found that the spread of the ESXiArgs ransomware is “extensive” and could have affected at least 327 organisations worldwide. 

“The most targeted system is from France on OVH cloud and Hetzner hosting,” the service said on Twitter. “But they have hit other hosting and cloud companies around that world.” 

In a statement on 3 February, OVH confirmed it was responding to the wave of attacks, adding that its managed cloud service had not been impacted.  

“A wave of attacks is currently targeting ESXi servers,” the company said. “No OVHcloud managed services are impacted by this attack however, since a lot of customers are using this operating system on their own servers, we provide this post as a reference in support to help them in their remediation.” 

Royal ransomware  

Initial speculation from OVH suggested that this campaign was related to the new Nevada ransomware strain, which first emerged in December last year.  

However, reports over the weekend pointed towards the Royal Ransomware strain as a key driver behind the wave of attacks against ESXi virtual machines. 

Royal Ransomware started launching attacks in early 2022, with the group made up of previous veterans of the infamous Conti ransomware gang.  

The group has accelerated operations in recent months, focusing attacks on US-based healthcare organisations and specifically targeting Linux systems more recently. 

Stefan van der Wal, consulting solutions engineer at Barracuda Networks said that the current campaign highlights the critical risk for organisations failing to update software.  

Related Resource

2022 Magic quadrant for Security Information and Event Management (SIEM)

SIEM is evolving into a security platform with multiple features and deployment models

Whitepaper cover with title, text, and SWOT analysis chartFree Download

“The reported widespread ransomware attacks against unpatched VMware ESXi systems in Europe and elsewhere appear to have exploited a vulnerability for which a patch was made available in 2021,” he said.  

“This highlights how important it is to update key software infrastructure systems as quickly as possible. 

“It isn’t always easy for organisations to update software. In the case of this patch, for example, organisations need to disable temporarily essential parts of their IT infrastructure. But it is far better to face that than to be hit by a potentially damaging attack.” 

Van der Wal added that virtual machines are becoming an increasingly attractive target for ransomware gangs due to their use in running business-critical services and functions. 

“Securing virtual infrastructure is vital,” he said. “It is particularly important to ensure that access to a virtual system’s management console is secured and can’t be easily accessed through a compromised account on the corporate network, for example.” 

Featured Resources

Defending against malware attacks starts here

The ultimate guide to building your malware defence strategy

Free Download

Datto SMB cyber security for MSPs report

A world of opportunity for MSPs

Free Download

The essential guide to preventing ransomware attacks

Vital tips and guidelines to protect your business using ZTNA and SSE

Free Download

Medium businesses: Fuelling the UK’s economic engine

A Connected Thinking report

Free Download

Recommended

VMware would be 'in a fine position' if Broadcom's takeover deal collapsed
Business strategy

VMware would be 'in a fine position' if Broadcom's takeover deal collapsed

12 Dec 2022
How to build a multi-cloud strategy to meet your business goals
Whitepaper

How to build a multi-cloud strategy to meet your business goals

5 Dec 2022
VMware vows to fight 'cloud chaos'
Business strategy

VMware vows to fight 'cloud chaos'

11 Nov 2022
VMware brings XDR capabilities to Carbon Black in a push for lateral security
network security

VMware brings XDR capabilities to Carbon Black in a push for lateral security

9 Nov 2022

Most Popular

Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
Microsoft set to block emails from unsupported Exchange servers
Security

Microsoft set to block emails from unsupported Exchange servers

28 Mar 2023
What the UK can learn from the rest of the world when it comes to the shift to IP
Sponsored

What the UK can learn from the rest of the world when it comes to the shift to IP

20 Mar 2023