ESXiArgs: widespread, but effects still being assessed.

BleepingComputer reports that a second wave of the ransomware campaign began yesterday, and that ESXiArgs’s developers have updated the malware to encrypt flat files. This means that the data recovery script released by CISA will likely no longer work on servers infected with the updated version of ESXiArgs. BleepingComputer adds that servers infected earlier may still be recoverable by using CISA’s tool. CISA yesterday issued a guide for using the script. It's also available through the CyberWire.

(Added, 9:45 PM, February 9th, 2023. Tony Lauro, Akamai's Director of Security Technology & Strategy, commented on the importance of quick remediation of vulnerabilities, even when the damage seems small, in monetary terms. “While the dollar impact of this particular breach may seem low, cyber attackers continue to plague organizations via death by a thousand cuts. The ESXiArgs ransomware is a prime example of why system administrators need to implement patches quickly after they are released, as well as the lengths that attackers will go to in order to make their attacks successful. However, patching is just one line of defense to rely on.

Lauro suggests that organizations take the recommendations from CISA seriously. "If affected, organizations should follow the recommendations from CISA to update their servers to the latest version of ESXi software, disable the Service Location Protocol service, and ensure the ESXi hypervisor is not exposed to the public internet. In the future, a zero trust framework can help organizations stay protected and minimize the blast radius of an attack by limiting user access and enforcing strict authentication standards.”)

(Added, 10:15PM, February 10th, 2023. Jon Miller, CEO & Co-founder of Halcyon, noted that patching can be complex, and that CISA's urgency in releasing remediation guidance shows that the agency regards the risk as significant:

“Patching systems like VMware can be highly complex for some organizations. In order to avoid breaking critical business systems, patches often need to be applied in the development and tested prior to production. Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied. Thus, there can be months+ of work to do before they can be protected, greatly contributing to the large number the many vulnerable ESXi/VMs/servers.

"The CISA releasing a script with no guarantee applying it will solve the issue for impacted organizations to regain access and control of their VMWare servers is a statement. It is rare for the CISA to release a tool like this, and shows the level of concern surrounding ransomware operators moving to target beyond traditional corporate endpoints.")

The impact of the ESXiArgs campaign.

Reuters reports that the ransomware campaign has hit Florida's Supreme Court and several universities in the US and Europe. The impacted universities include “the Georgia Institute of Technology in Atlanta, Rice University in Houston, and institutions of higher learning in Hungary and Slovakia.” Despite the extent of the campaign, the threat actors have apparently collected only $88,000 so far.

The Washington Post notes that the ESXiArgs campaign appears to have had a somewhat muted impact compared to other widespread ransomware campaigns, such as WannaCry or NotPetya. However, the Post quotes Recorded Future’s Allan Liska as saying that he expects to see more sophisticated ransomware developers imitating ESXiArgs’s tactics. Liska stated, “I think we’re going to see somebody who’s going to say, ‘Oh, that was interesting. Let’s see if we can make a better version of that. We see that a lot, where a bad guy tries something and it doesn’t work very well, but then the next bad guy comes in and they do it better.”

Speaking of bad guys, it’s not clear who ESXiArgs’ might be.

Italy's National Cybersecurity Agency (ACN) says, according to Reuters, that it’s unclear who’s behind the campaign. In particular, there’s no obvious involvement of a state-actor. "No evidence has emerged pointing to aggression by a state or hostile state-like entity."