These ransomware infections on VMware ESXi software are due to a vulnerability that has existed since 2021. Discover the most targeted countries and how to secure your organization.
How does this ransomware attack work?
CVE-2021-21974 is a vulnerability that affects OpenSLP as used in VMware ESXi. Successful exploitation of that vulnerability allows an attacker to execute arbitrary code, and exploits for this vulnerability can be found in several open sources as of May 2021.
The French government’s Computer Emergency Response Team CERT-FR was the first to do so to alarm about ransomware exploiting this vulnerability on February 3, 2023, quickly followed by the French hosting provider OVH.
Attackers could exploit the vulnerability remotely and unauthenticated over port 427 (Service Location Protocol, SLP), a protocol that most VMware customers do not use.
The ransomware encrypts files with the following extensions on affected systems: .vmdk, .vmxf, .vmsd, .vmsn, .vmss, .vswp, .nvram, and .vmem. It then tries to shut down the virtual machines by terminating the VMX process to unlock the files.
A text note is left after encryption is complete (Image A), which demands a ransom to be paid in Bitcoin cryptocurrency within three days.
The ransomware threat actor behind this attack is unknown as the malware appears to be a new ransomware. OVH has reported that according to several security researchers, the encryption cipher used in the ransomware is the same as what was used in the leaked cipher dust malware code as of September 2021, although the code structure is different.
The Babuk code leaked in 2021 has been used to create other malware often targeting ESXi systems, but it seems too early to draw a definitive conclusion on the attribution of that new malware, which security researchers ESXiArgs has been mentioned.
France and the US are the biggest targets
Find Censysan online tool for searching internet-connected devices shows that more than 1,000 servers have been successfully affected by the ransomware, mainly in France, followed by the US and Germany.
At the time of writing, more than 900 servers in France had been hacked, while about 400 servers in the US were affected.
Many more systems may be vulnerable and not yet attacked. This is reported by the Shadow Server Foundation about 27,000 instances may be vulnerableaccording to the version of its VMware software.
How to protect your organization from this ransomware threat
For systems running unpatched versions of VMware ESXi, the absolute priority is to pause the SLP service if it is running. The vulnerability can only be exploited through that service, so if it is closed, the system cannot be attacked through this vector.
The next step is to reinstall the hypervisor in a VMware supported version — ESXi 7.x or ESXi 8.x — and apply all security patches.
Finally, all management services must be protected and only available locally. If there is a need for remote access, VPN with multi-factor authentication or IP filtering should be used.
Jan Lovmand, chief technology officer of BullWall, a cybersecurity company focused on preventing ransomware attacks, told TechRepublic more about the vulnerability.
“A patch has been available from VMware since February 2021, when the vulnerability was discovered,” Lovmand said. “This just goes to show how long it takes many organizations to patch internal systems and applications, which is just one of the many reasons why criminals continue to find their way in. The attack surface is large and preemptive security solutions can be bypassed in a scenario like this if the vulnerability is not patched.”
Lovmand also stressed the importance of patching your networks.
“There is a 50-50 chance that your company will be successfully hit by ransomware in 2023,” he said. “Security solutions cannot protect unpatched networks.”
How to recover from this ransomware threat
Security researchers Enes Somnez and Ahmet Aykac have a solution to recover in case a system has been attacked by this ransomware.
The researchers explain that the ransomware encrypts small files such as .vmdk and .vmx, but not the server-flat.vmdk file, which contains the actual data. Using this file, it is possible to fall back and recover information from the system.
Julien Levrard, chief information security officer of OVHCloud, wrote that the method documented by Somnez and Aykac has been successfully tested by OVH and many security experts on several affected servers, with a success rate of 2/3. He added that “this procedure requires strong skills in ESXi environments.”
Revelation: I work for Trend Micro, but the opinions expressed in this article are my own.
Read more: Patch Management Policy (Tech Republic Premium)