Massive ransomware attack targets VMware ESXi servers worldwide
A global ransomware attack has hit thousands of servers running the VMware ESxi hypervisor, with many more servers expected to be affected, according to national cybersecurity agencies and security experts around the world.
The Computer Emergency Response Team of France (CERT-FR) was the first to notice and send an alert about the attack.
“On February 3, CERT-FR became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them,” CERT-FR wrote.
Other national cybersecurity agencies — including organizations in the US, France and Singapore — have also issued alerts about the attack. Servers have been compromised in France, Germany, Finland, the US and Canada, according to reports.
More than 3,200 servers have been compromised globally so far, according to cybersecurity firm Censys.
CERT-FR and other agencies report that the attack campaign exploits the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021. This vulnerability affects the Service Location Protocol (SLP) service and allows attackers to exploit arbitrary code remotely. The systems currently targeted are ESXi hypervisors in version 6.x, prior to 6.7, CERT-FR stated.
“The SLP can be disabled on any ESXi servers that haven’t been updated, in order to further mitigate the risk of compromise,” CERT-FR wrote in its notice.
An alert from cybersecurity provider DarkFeed over the weekend said that in Europe, France and Germany were most affected by the attack. Most of the servers that were hit in France and Germany were being hosted by hosting providers OVHcloud and Hetzner, respectively, according to DarkFeed.
A ransom note issued to the victims of the attack posted publicly by DarkFeed said in part: “Security alert! We hacked your company successfully … Send money within 3 days, otherwise we will expose some data and raise the price.”
The note quoted by DarkFeed said to send 2.01584 (about US$23,000) to a bitcoin wallet, but apparently the threat actor is using different wallets to collect fees. “What’s interesting is that the bitcoin wallet is different in every ransom note. No website for the…
