Second round opened in ransomware campaign affecting Esxi virtual machine hypervisors. Called EsxiArgs, a reference to the .args extension of encrypted files, this ransomware has been active since last Friday and has spread in France and around the world.
First bad news, as spotted by Bleeping computer, the attackers have already updated their program, a way of bypassing the shared methods to recover its data.
Improved encryption
This malicious program, which could be based on a version of the Babuk ransomware, has indeed been modified to encrypt more data of the targeted files. Initially, the malware was configured to encrypt only part of the victims’ files, a way no doubt to go faster, but which left a large part of the data in the clear.
According to an expert, Michael Gillespie, quoted by Bleeping computer, files over 128 megabytes are now more than 50% encrypted, which makes them probably unrecoverable. Similarly, adds the American media, this new way of proceeding renders the data recovery methods shared for a week obsolete.
Turkish security researchers had indeed found a parade, which showed a success rate of about 60%, according to the intelligence company on threats Intel471. The American cybersecurity agency, CISA, had also detailed a few days ago a script to recover its infected files, tools also reported by the CERT-FR.
Reinfections
Second piece of bad news, according to one of the CISA experts, the vast majority of new ransomware victims are virtual machines already infected during the first wave. We can thus read testimonials to this effect, even though the service considered to be compromised, SLP, was nevertheless deactivated. “Either another vulnerability is used, or there remained a back door after the first attack”, wonders a user.
In a summary of its investigations on February 5, the Anssi incident response center estimated that the attackers had taken advantage of known vulnerabilities in the SLP service of the Esxi hypervisors to succeed in their intrusions. “Exploitation codes have been available in open source since at least May 2021”, noted the CERT-FR at the time. For its part, the hypervisor manufacturer VMware said on Monday that it had not found any evidence suggesting the use of an unknown flaw, a 0-day.
Automating
According to the Shodan search engine, the three countries most affected by the malicious campaign are France (with a local radio station and an association in the Alpes-Maritimes in particular), the United States (with a judicial institution and universities), and Germany. Within days, the ransomware claimed at least 3,276 victim systems, according to the Austrian Incident Response Center.
The campaign brings automated ransomware attacks back into fashion, after several years of “Big Game Hunting”, these targeted attacks. A malicious operation of which we are still far from knowing the conclusion. There would remain several tens of thousands of vulnerable virtual machines that could be compromised.
It is strongly recommended that administrators reinstall their hypervisors and apply all security patches.