A series of ransomware attacks exploiting a known VMware vulnerability bears the markings of an unsophisticated campaign, according to researchers. And yet, the number of potential victims and damage caused by the ransomware spree is growing.
A list of victims linked to corresponding IP addresses surpassed 3,800 Tuesday, according to the latest data compiled by Ransomwhere, an open-source ransomware payment tracker. Four payments valued at a total of $88,000 have been made thus far, according to Censys data shared by Ransomwhere on Twitter.
More than 1 in 4 of the compromised IP addresses are hosted in France, but the attacks, which started Friday, span multiple countries in Europe, Canada, Asia and the U.S.
Ransomware attacks typically occur one at a time, according to Chester Wisniewski, field CTO of applied research at Sophos. A ransomware spree hitting nearly 4,000 victims “in one go is [a] ridiculous scale compared to normal, but on the other hand it’s quite amateurish,” he said.
The mass distribution of ransomware and relatively low and non-customized ransom demands suggests the threat actor is using a high amount of automation. It also explains why and how so many potential victims have been exposed by a two-year-old vulnerability in a matter of days.
“I’m a bit surprised there’s this much public-facing infrastructure of this type that’s this old and not being maintained,” Wisniewski said. “All of it’s very strange, but I definitely would classify this in the seriously amateurish category.”
Activity observed by Arctic Wolf Labs suggests the threat actor behind the ESXiArgs campaign is using a proof of concept exploit code for CVE-2021-21974 that’s been publicly available for at least a year.
“We didn’t see a significant uptick in use of the exploit until this campaign,” Adrian Korn, senior manager of threat intelligence research at Arctic Wolf Labs, said via email.
“Threat actors get creative and look at off-the-shelf exploits to use in new campaigns. It is likely that this ESXiArgs crew wanted to target ESXi servers to inflict a lot of damage and then came across this CVE,” Korn said.
Victims yet to be identified
Efforts to track the ongoing ransomware campaign to potential victims remain underway.
“While this campaign isn’t especially sophisticated, that doesn’t mean it hasn’t succeeded in impacting a large number of victims. Exactly how many victims there are — and who they are — remains to be seen,” Brett Callow, threat analyst at Emsisoft, said via email.
Reuters identified servers with compromised IP addresses linked to the Florida Supreme Court and several universities, but researchers warned against making a direct connection based on IP address data.
IP address records aren’t updated consistently and some cloud service providers offer hosted and virtualized VMware installations, which further breaks the chain of IP address ownership.
“The Florida Supreme Court’s systems are not compromised,” a spokesperson told Cybersecurity Dive via email.
ESXiArgs borrowed some code from other ransomware groups and wrote a basic shell script to deploy the ransomware and perform cleanup actions, according to Korn. “This does not fit the bill of a highly sophisticated adversary."
Some victims have recovered data compromised by these attacks without paying the ransom, according to the Cybersecurity and Infrastructure Security Agency. The agency bolstered that effort on Tuesday by publishing an ESXiArgs ransomware recovery script on GitHub to help organizations attempt recovery.
Despite the unsophisticated mode of attack, and potential for victims to recover without serious damages, the ESXiArgs ransomware campaign underscores risk associated with poor maintenance and controls.
Not only are these VMware management interfaces not getting patched, but they shouldn’t even be on the internet, Wisniewski said. “This is a full remote-code execution, meaning once they’re on it, they kind of control the box and can do whatever they want.”
Worse yet, Wisniewski said, successful campaigns such as this are often copied by more sophisticated threat actors that can cause more damage.