Very bad weekend for the operators of servers based on the Esxi virtual machine hypervisor. A ransomware campaign affecting certain versions of this software began last Friday. Spotted by the president of the host Scaleway and CERT-FR, the malicious wave was described as “massive”.
Thus, according to the Onyphe search engine, which specializes in attack surface analysis, more than 2,100 virtual machines allegedly compromised, according to a tally posted on Twitter on Sunday evening. On Friday, it was recommended to turn off or disconnect its Esxi infrastructures as soon as possible.
Ransom of two bitcoins
Visibly taken aback, victims have already posted their testimony on the forum of the specialized media Bleeping Computer. They thus report ransom demands of 2 bitcoins, or approximately 42,000 euros. “We are affected on several Esxi but not all. However, it’s a hassle to find the right patch, ”also says a French-speaking Internet user on Twitter.
As spotted by Le Mag IT, several French organizations seem to have been victims of this campaign, of a local radio station of the Alps to the association Nice Weather 06. But while the attack was first spotted by French organizations, the malicious campaign is affecting targets around the world. This is the case, for example, of the University of Naples, in Italy.
Attribution still unclear
According to CERT-FR, the computer attack would be based on the exploitation of a vulnerability (CVE-2021-21974) corrected since February 2021.
T
However, the Anssi alert center cautiously specifies that this is only a first conclusion “in the current state of the investigations”. Similarly, if OVH initially thought it saw Nevada ransomware at work in this campaign, the host has since shown itself to be more reserved about the attribution.
The company also specifies in a blog post that it has launched “several initiatives to identify vulnerable servers” among its customers before notifying them. “In some cases, file encryption may partially fail, allowing data to be recovered,” adds the host, who reports that a Turkish security researcher, Enes Sönmez, has detailed a method to recover the content of his virtual server. .