Ransomware activity targeting VMware ESXi instances were on the rise before a ransomware spree broke out this month, impacting thousands of servers, Recorded Future research published Monday found.
Only two cyberattacks targeted ESXi with ransomware in 2020, but in 2021 Recorded Future identified more than 400 incidents. Last year the number ballooned, growing almost threefold to 1,118 in 2022, the research found.
Ransomware payload offerings were observed from multiple groups, including ALPHV, LockBit and BlackBasta.
The research underscores a consistent rise of ransomware activity and blind spots posing additional risks among organizations using VMware ESXi.
VMware declined to comment on Recorded Future’s research and advised organizations to upgrade to the latest releases of components to address currently known vulnerabilities.
The threat of ransomware impacting the hypervisor software for server virtualization gained considerable interest this month as ESXiArgs started spreading ransomware across thousands of machines using relatively unsophisticated means.
A new variant of ESXiArgs ransomware, which appeared Feb. 8, infected more than 1,250 VMware servers. Many of the servers were reinfected after the original strain, and represented more than 4 in 5 live infections.
A slight change to the malware allowed it to encrypt data more effectively and prevent data recovery.
“We were all talking about it super generically and in hypotheticals until about a week ago and then we started seeing ESXiArgs,” said Lindsay Kaye, senior research director at Recorded Future and lead analyst on the report.
A combination of factors are fueling this increased level of ransomware activity against ESXi, Kaye told Cybersecurity Dive:
- Virtualization is on the rise and so are vulnerabilities, but ESXi doesn’t have the same level of protections and defenses in place as Windows, for example.
- Antivirus and endpoint detection and response tools for Windows are extensive, but there aren’t many products further than the “nascent stage” for hypervisors such as ESXi.
- Threat hunting commands in ESXi also share similarities with common system administrator operations, blurring the line between normal and malicious activity.
There’s also the issue of the role ESXi plays for organizations. Many scenarios require ESXi systems to be constantly running to maintain critical functions, which could cause organizations to hesitate when applying updates or patches that could cause other problems.
Critical vulnerabilities in VMware products are a recurring problem. The threat research group at Recorded Future highlighted seven high-risk vulnerabilities impacting VMware products in the last six months.
While vulnerability exploitation is a common tactic used by threat actors to gain initial access, many malicious actors are simply relying on system administrator notes, stored passwords or keylogging to gain access to some VMware environments, Recorded Future said in the report.
“The practice of securing virtualized infrastructure is complicated due to the proprietary nature of the technology and the relative infancy of defensive products designed for it,” the report said. “As a result of these factors, ESXi presents an exceptionally attractive target for financially motivated threat actors.”
