Massive ransomware attack targets VMware ESXi servers worldwide

A global ransomware attack has hit thousands of servers running the VMware ESxi hypervisor, with many more servers expected to be affected, according to national cybersecurity agencies and security experts around the world.

The Computer Emergency Response Team of France (CERT-FR) was the first to notice and send an alert about the attack.

“On February 3, CERT-FR became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them,” CERT-FR wrote

Other national cybersecurity agencies — including organizations in the US, France and Singapore — have also issued alerts about the attack. Servers have been compromised in France, Germany, Finland, the US and Canada, according to reports.

More than 3,200 servers have been compromised globally so far, according to cybersecurity firm Censys.

CERT-FR and other agencies report that the attack campaign exploits the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021. This vulnerability affects the Service Location Protocol (SLP) service and allows attackers to exploit arbitrary code remotely. The systems currently targeted are ESXi hypervisors in version 6.x, prior to 6.7, CERT-FR stated. 


VMware ESXi Servers Targeted in Large-Scale Ransomware Campaign

The French Computer Emergency Response Team (CERT-FR) has warned about an ongoing ransomware campaign targeting VMware ESXi hypervisors that have not been patched against the critical heap-overflow vulnerability tracked as CVE-2021-21974.

VMware issued a patch on February 3, 2021, to fix the vulnerability; however, hundreds of VMware ESXi virtual machines are still vulnerable to the exploit and are now being attacked. The vulnerability affects the Open Service Location Protocol (OpenSLP) service and can be exploited by an unauthenticated attacker in a low-complexity attack to remotely execute code.

According to CERT-FR, the campaign targets ESXi hypervisors in version 6.x and prior to 6.7 through OpenSLP port 427, and warns that the following versions are vulnerable to the exploit:

  • ESXi 7.x versions earlier than ESXi70U1c-17325551
  • ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  • ESXi versions 6.5.x earlier than ESXi650-202102101-SG

A workaround has been provided by CERT-FR in the alert for any organizations unable to immediately apply the patch, but CERT-FR strongly recommends patching to address the issue. CERT-FR has warned that patching the vulnerability or applying the workaround is not sufficient to protect against attacks, as the vulnerability may already have been exploited to deliver malicious code. After applying the mitigations, system scans should be performed to detect signs of compromise. VMware said the attacks involve a new ransomware variant dubbed ESXiArgs, which appends encrypted files with the .args extension. While it has yet to be confirmed, these attacks do not appear to involve data exfiltration, only file encryption.

Compliance Checklist

Free and Immediate Download

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

Over the weekend, security researchers have been reporting hundreds of machines have been attacked, which likely involves the automated or semi-automated exploitation of the vulnerability. Over 500 machines are believed to have been targeted, with The Stack reporting…


OSINT in Current and Future Military Operations

In recent years, the international security environment has evolved in a way that lays greater emphasis on information gathering and analysis. This is largely due to the proliferation of digital technologies and the internet, which have made it easier for individuals, organisations, and governments to access, share, and disseminate information. As a result, the traditional concept of ‘national security’ has expanded to include cyber security, information security, and online propaganda.

In this context, ‘Open-Source Intelligence’ (OSINT) has emerged as an important tool and resource for governments, militaries, intelligence organisations, and individuals. It refers to information that is publicly available and can be collected from a wide range of sources, including the internet, social media, newspapers, and government websites.

The rise of information warfare and the need for intelligence on digital fronts has made OSINT an even more crucial resource for organisations dealing with the national security of a state. Various examples and case studies show it can provide valuable information that can be used to make informed decisions about foreign policy, intelligence operations, and military strategy; understand and respond to global security threats; support military operations; and gain a deeper understanding of conflicts. By analysing data from various sources such as social media, online forums, and satellite imagery, OSINT analysts can gain a better understanding of movements and activities in conflict areas. For instance, the US military used OSINT to track and monitor the Islamic State of Iraq and Syria (ISIS), through information on the location, movements, and activities of ISIS leaders and fighters, as well as its financial and logistical networks. Thereby, becoming a true force multiplier.

Not only this, OSINT can be used to monitor and counter disinformation, propaganda, and misinformation, which are widely used by state and non-state actors to influence public opinion and political decisions. The ongoing Russia-Ukraine War, characterised by a high degree of disinformation and propaganda on both sides, is also a case study of OSINT. One of the key aspects of…


Major Florida hospital hit by a possible ransomware attack

A major hospital system in northern Florida said Friday it is diverting some emergency room patients and canceling surgeries after a security problem with information technology.

Tallahassee Memorial HealthCare said the issue began affecting its systems late Thursday night and has forced the hospital to shut down its IT network.


It had the hallmarks of a ransomware attack, but the hospital has not yet characterized it as such, instead calling it an “IT security issue.” Victims often at least initially decline to confirm ransomware attacks.

The hospital said in a statement that it was diverting some emergency room patients and rescheduling non-emergency patient appointments through Monday. It said it is not moving patients currently in the hospital to other facilities.

Read: ‘A path forward to more sustainability’: Disney union celebrates after voting down contract offer

Patients will be contacted directly if their appointments are affected, spokeswoman Tori Lynn Schneider said in a statement.

It was unclear when systems would fully return online. The hospital said it has been working with law enforcement.

Read: Florida High School Athletic Assoc. weighs mandating menstrual cycle details for female athletes

The hospital, headquartered in Tallahassee, provides health care across 21 counties in northern Florida and southern Georgia, according to its website.

Cybersecurity firm Emsisoft said there were 25 ransomware attacks involving hospitals or hospital systems last year.

Read: ‘I like freaked out’: Woman says changes to her phone bill she didn’t approve cost her thousands

Click here to download the free WFTV news and weather apps, click here to download the WFTV Now app for your smart TV and click here to stream Channel 9 Eyewitness News live.