Hundreds of organisations worldwide have been targeted by a hacking campaign exploiting VMware’s ESXi servers to deploy the new ESXiArgs ransomware variant.
French and Italian cyber security agencies issued an urgent warning last week after attackers were found to be actively targeting servers left unpatched against a two-year-old remote code execution (RCE) vulnerability.
Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service and can enable an attacker to remotely execute arbitrary code.
VMware confirmed it is aware of exploit reports, adding that it issued a patch in February 2021 upon discovery of the vulnerability. However, the vendor urged customers to immediately apply the patch if the ESXi hypervisor has not yet been updated.
Widespread exploitation
Analysis from ransomware monitoring service Darkfeed found that the spread of the ESXiArgs ransomware is “extensive” and could have affected at least 327 organisations worldwide.
“The most targeted system is from France on OVH cloud and Hetzner hosting,” the service said on Twitter. “But they have hit other hosting and cloud companies around that world.”
In a statement on 3 February, OVH confirmed it was responding to the wave of attacks, adding that its managed cloud service had not been impacted.
“A wave of attacks is currently targeting ESXi servers,” the company said. “No OVHcloud managed services are impacted by this attack however, since a lot of customers are using this operating system on their own servers, we provide this post as a reference in support to help them in their remediation.”
Royal ransomware
Initial speculation from OVH suggested that this campaign was related to the new Nevada ransomware strain, which first emerged in December last year.
However, reports over the weekend pointed towards the Royal Ransomware strain as a key driver behind the wave of attacks against ESXi virtual machines.
Royal Ransomware started launching attacks in early 2022, with the group made up of previous veterans of the infamous Conti ransomware gang.
The group has accelerated operations in recent months, focusing attacks on US-based healthcare organisations and specifically targeting Linux systems more recently.
Stefan van der Wal, consulting solutions engineer at Barracuda Networks said that the current campaign highlights the critical risk for organisations failing to update software.
RELATED RESOURCE
2022 Magic quadrant for Security Information and Event Management (SIEM)
SIEM is evolving into a security platform with multiple features and deployment models
“The reported widespread ransomware attacks against unpatched VMware ESXi systems in Europe and elsewhere appear to have exploited a vulnerability for which a patch was made available in 2021,” he said.
“This highlights how important it is to update key software infrastructure systems as quickly as possible.
“It isn’t always easy for organisations to update software. In the case of this patch, for example, organisations need to disable temporarily essential parts of their IT infrastructure. But it is far better to face that than to be hit by a potentially damaging attack.”
Van der Wal added that virtual machines are becoming an increasingly attractive target for ransomware gangs due to their use in running business-critical services and functions.
“Securing virtual infrastructure is vital,” he said. “It is particularly important to ensure that access to a virtual system’s management console is secured and can’t be easily accessed through a compromised account on the corporate network, for example.”
-
Google tells some remote workers to return to the office or risk losing jobsNews Google has warned remote workers will need to return to the office or else lose their jobs, according to reports.
-
IBM puts on a brave face as US government cuts hit 15 contractsNews Despite the cuts, IBM remains upbeat after promising quarterly results
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the lastNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
