The Italian National Cybersecurity Agency (ACN) has sounded the alarm on a new ransomware threat that is targeting unpatched VMware systems. The ransomware, called ZCryptor, encrypts users’ files and demands payment for the data to be unencrypted. Many businesses across Italy and Europe have fallen victim to this attack due to not applying the necessary security patches to their VMware systems.
ESXiArgs Ransomware Attacks: How They Happened
Ransomware is a type of malware that enables unauthorized users to restrict access to an organization’s files, systems, and networks. In the case of the ESXiArgs ransomware attack, the attacker infiltrated VMware’s ESXi hypervisor code and held entire servers for ransom. This resulted in many victims paying almost $50,000 USD in Bitcoin to restore access to their business systems.
Experts believe that this attack is not the work of ransomware gangs, but rather a smaller group of threat actors. However, the damage caused by this attack is still alarming.
Exploiting Known Vulnerabilities: How to Protect Your Business
Hackers were able to infect over 2000 machines in just twenty-four hours before the weekend. As soon as software developers and providers publish fixes for specific vulnerabilities, threat actors are already planning their next attack. Fortunately, the ESXiArgs vulnerability was patched two years ago (CVE-2021-21974), and organizations that have not applied this patch are at risk of becoming victims of this latest ransomware.
To protect your business, it’s crucial to ensure that your VMware systems are backed up and updated with the latest security patches available. Additionally, the CISA recommends disabling Service Location Protocol (SLP) to harden the hypervisor and ensuring that the ESXi hypervisor is never exposed to the public internet.
CISA Guidance for Affected Systems: Recovering from the Attack
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued recovery guidance for the 3,800 servers around the world affected by the ESXiArgs ransomware attacks.
This includes immediately updating all servers to the latest VMware ESXi version and reconstructing virtual machine metadata from unaffected virtual disks using a script provided on their GitHub page.
In conclusion, the rise of ransomware attacks poses a significant threat to businesses globally. To protect your organization, it’s essential to stay vigilant and ensure that your systems are backed up and updated regularly. By following the necessary steps outlined by the ACN and CISA, you can minimize the risk of falling victim to the latest ransomware attacks.