Attackers Encrypt More Data After US Cybersecurity and Infrastructure Security Agency (CISA) Releases Decryption Tool to Help Affected Victims Recover from ESXiArgs Ransomware Attack Fixed in updated version.
The appearance of new variants was reported by system administrators on online forums. Another participant said files larger than 128MB have 50% of the data encrypted, making the recovery process more difficult.
Another notable change is the removal of the Bitcoin address from the ransom note. The attackers are urging the victim to contact her on her Tox to get the wallet information.
The attackers “found researchers tracking their payments. They knew before releasing the ransomware that the encryption process of the original variant was relatively easy to circumvent.” It’s also possible,” Censys said in the article.
“In other words, they are watching.”
Statistics shared by crowdsourcing platform Ransomwhere evident As of February 9, 2023, 1,252 servers were infected with the new version of ESXiArgs, of which 1,168 were re-infected.
Over 3,800 unique hosts have been compromised since the ransomware outbreak in early February. The majority of infections occur in France, United States, Germany, Canada, United Kingdom, Netherlands, Finland, Turkey, Poland, and Taiwan.
ESXiArgs, like Cheerscrypt and PrideLocker, is based on the Babuk locker whose source code was leaked in September 2021. Ransomware as a Service (RaaS) model.
“The ransom is set at just over 2 bitcoins (US$47,000) and victims must pay within three days,” said cybersecurity firm Intel471.
Initially, it was suspected that the intrusion involved exploiting an OpenSLP bug (CVE-2021-21974) that existed in VMware ESXi two years ago and is now patched, but the network discovery protocol Compromises have been reported on devices with disabled.
VMware later said it found no evidence to suggest that zero-day vulnerabilities in its software were being used to spread ransomware.
This indicates that the attackers behind the activity may be taking advantage of several known vulnerabilities in ESXi, making it imperative that users update to the latest version promptly. It is These attacks have not yet been attributed to known attackers or groups.
“Based on the ransom note, the campaign is linked to a single threat actor or group,” pointed out Arctic Wolf. “More established ransomware groups typically run her OSINT on potential victims before making an intrusion and set ransom payments based on perceived value.”
Cybersecurity firm Rapid7 says it has found 18,581 internet-facing ESXi servers vulnerable to CVE-2021-21974, noting that RansomExx2 actors are opportunistically targeting vulnerable ESXi servers. He added that he observed more.
Tony Lauro, Director of Security Technology and Strategy at Akamai, said:
“The ESXiArgs ransomware is a prime example of why system administrators should patch as soon as they are released, and how long it takes for attackers to successfully launch their attacks.”
