Over 500 hosts were compromised en masse by the new ESXiArgs ransomware strain. Most of them are in France, Germany, Holland, UK, and Ukraine.
The findings, attributed to attack surface management firm Censys, refer to “two hosts with very similar ransom notes dating back to mid-October 2022, shortly after the end of life of ESXi versions 6.5 and 6.7.” discovered.
The first series of infections dates back to October 12, 2022. This is much earlier than when the campaign started gaining momentum in early February 2023. Then, on January 31, 2023, the two hosts’ ransom notes were allegedly updated. Revised version to match what is used on current waves.
The key differences between the two ransom notes include the use of Onion URLs instead of Tox Chat IDs, the Proton Mail address listed at the bottom of the note, and a lower ransom demand (1.05 bit coin vs. 2.09 bitcoin).
“Each variant of the ransom note from October 2022 to February 2023 is very similar in wording to notes from Cheerscrypt, a previous ransomware variant that gained notoriety in early 2022,” it said. Researchers Mark Ellzey and Emily Austin said.
Note that ESXiArgs is suspected to be based on the leaked Babuk ransomware code that also spawned other variants like Cheerscrypt and PrideLocker last year.
This development comes less than a week after the threat actor returned with a new variant that tweaked the encryption method and ransom note, following the release of a decryption tool to aid recovery of infected systems. increase.
Since then, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has stated that attackers are “likely targeting ESXi servers that have reached end of life or lack the available ESXi software patches. ‘ said.
“The VMware ESXi vulnerability is a stark reminder of the importance of keeping systems up-to-date with the latest security patches while employing strong perimeter defenses,” said Martin Zugec of Bitdefender. increase.
“Attackers don’t need to hunt around for new exploits and new techniques when they know that many organizations are vulnerable to old exploits due to lack of proper patch management and risk management. “
This surge also coincides with an 87% year-over-year increase in ransomware attacks targeting industrial organizations in 2022, with 437 of the 605 attacks targeting manufacturing, Dragos said. Ransomware continues to evolve in part, according to a new report from . as-a-service (RaaS) model.
According to data collected by an industrial security firm, 189 ransomware attacks were reported in the final quarter of 2022 alone. Top target industries include Manufacturing (143), Food & Beverage (15), Energy (14), Pharmaceuticals (9), Oil & Gas (4), and Mining (1).
