- On February 6th, 2023, we published an article detailing how malicious actors launched new attacks using two-year-old VMware vulnerabilities known as CVE-2021-21972.
- CISA (Cybersecurity and Infrastructure Security Agency) released a ransomware recovery tool for everyone impacted by the VMware ESXi exploits a few days later.
- Now, it appears that a new wave of attacks is using a new ransomware variant that has been modified to scan and encrypt files of higher sizes.
We reported on February 6th, 2023, how hostile actors used two-year-old VMware vulnerabilities, identified as CVE-2021-21972, to launch fresh attacks. The vulnerability has a CVSSv3 base score of 9.8, a remote code execution vulnerability. A couple of days later, CISA (Cybersecurity and Infrastructure Security Agency) published a ransomware recovery tool for everyone affected by the VMware ESXi exploit. Now, there seems to be a new wave of attacks using a new variant.
The newer version prevents recovery
The way the ransomware used to work is that it only encrypted files in small bits and left quite large gaps of unencrypted files. Now, with the new variant, the malicious actors seem to have changed the ransomware to scan and encrypt files of larger sizes. This renders the recovery tools useless as data will be even more encrypted. Since a larger percentage of the total data will be encrypted, recovery tools for the first variant will not be able to help the second variant, which makes the ransomware even more dangerous.
Impacted Products
- VMware ESXi.
- VMware vCenter Server (vCenter Server).
- VMware Cloud Foundation (Cloud Foundation).
As usual, since the “ESXiArgs” ransomware targets long-unpatched and unprotected instances of VMware ESXi, restricting IP access to trusted sources only and updating to the latest version of ESXi is a good way to help protect yourself from potential threats.