A global spree of ransomware attacks targeting organizations using VMware ESXi has confounded cyber authorities and experts.

The initial access vector for ESXiArgs ransomware has yet to be confirmed and independently verified. The identity of potential victims and the extent of damage caused also remains unknown.

The bulk of activity thus far occurred between Feb. 3 and Feb. 11, according to threat researchers.

A subsequent burst of attacks was observed Saturday with more than 500 hosts infected by the new ESXiArgs ransomware strain, most of which are located in France, Germany, the Netherlands and the UK, according to Censys research released on Wednesday.

The attack surface firm also said it “discovered two hosts with strikingly similar ransom notes dating back to mid-October 2022.” Censys built a dashboard to illustrate the countries and hosts where the new variant of ESXiArgs ransomware has been detected.

Here, less than two weeks after the first spree of attacks got underway, is what we know about ESXiArgs so far: 

How many affected

The first wave of attacks started on Feb. 3 and nearly 2,000 servers were compromised within 24 hours, according to Patrice Auffret, founder, CTO and CEO of the France-based cybersecurity firm Onyphe.

“A ransomware variant dubbed ESXiArgs appears to be targeting end of general support or significantly out of date products by leveraging known vulnerabilities previously addressed and disclosed in VMware security advisories,” a VMware spokesperson said at the time.

VMware’s Security Response Center issued a blog with guidance for customers on Feb. 6. The company maintains there is no evidence an unknown or zero-day vulnerability is propagating the ransomware in the ESXiArgs attacks.

The attacks targeted at least 3,800 IP addresses and compromised at least 2,250 machines spanning multiple countries in Europe, Canada, Asia and the U.S. Four ransom payments valued at a total of $88,000 were tracked by Ransomwhere, an open-source ransomware payment tracker.

The variant

As response and recovery efforts got underway, a new variant of ESXiArgs ransomware emerged and has infected more than 2,100 VMware servers to date, according to Censys.

The slightly tweaked version of the malware encrypts data more effectively with a different encryption routine, Brett Callow, threat analyst at Emsisoft, said via email at the time.

Who found it — and what the government is saying

Cyber authorities in France sounded the first alarm on Feb. 3, issuing an advisory linking a spree of ransomware attacks to a known VMware vulnerability that was discovered and patched about two years ago.

Some victims recovered data compromised by the initial spree of attacks without paying the ransom, according to the Cybersecurity and Infrastructure Security Agency.

CISA and the FBI issued a joint advisory with guidance and published an ESXiArgs ransomware recovery script on GitHub in response to the ongoing ransomware campaign.

However, a slight code change in the new variant of ESXiArgs rendered the recovery script largely ineffective, according to multiple threat researchers and analysts.

“We are aware of a new ESXiArgs ransomware variant that encrypts more data. We will update the advisory as new information becomes available,” CISA Director Jen Easterly said on Twitter last week.

Threat intel vexed by EXSiArgs

The early and still unconfirmed assumption is that threat actors were exploiting a known heap-overflow vulnerability in VMware’s OpenSLP service, CVE-2021-21974, to gain initial access and initiate attacks. The French Computer Emergency Response team was the first to make the connection in its advisory.

Investigations into the initial access vector remain underway, but critical vulnerabilities in VMware products are a recurring problem.

Ransomware activity targeting VMware ESXi instances was on the rise before the ESXiArgs spree broke out, according to research published by Recorded Future.

Only two cyberattacks targeted ESXi with ransomware in 2020, but in 2021 Recorded Future identified more than 400 incidents. Last year the number ballooned, growing almost threefold to 1,118 in 2022, the research found.

Why it's odd

Multiple threat researchers and analysts described the series of ransomware attacks as unsophisticated, though the number of potential victims was still growing at the time.

Victims have yet to be identified or come forward.

Ransomware attacks typically occur one at a time, not in a spree hitting nearly 4,000 victims in a matter of days, according to Chester Wisniewski, field CTO of applied research at Sophos.

“All of it’s very strange, but I definitely would classify this in the seriously amateurish category,” Wisniewski said last week.

The mass distribution of ransomware and relatively low and non-customized ransom demands suggests the threat actor is using a high amount of automation — not the hands-on-keyboard tactics typically associated with more sophisticated adversaries demanding multi-million dollar ransoms.