{"id":405,"date":"2023-02-16T09:46:00","date_gmt":"2023-02-16T09:46:00","guid":{"rendered":"https:\/\/3bdatasecurity.com\/3bds-blog\/?p=405"},"modified":"2024-11-06T15:26:44","modified_gmt":"2024-11-06T15:26:44","slug":"vmware-suffers-from-another-ransomware-attack","status":"publish","type":"post","link":"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/","title":{"rendered":"VMware Hit With Second Round of Ransomware"},"content":{"rendered":"\n<p>VMware recently warned their customers to install the latest security update, as attackers had launched a ransomware attack targeting VMware ESXi hypervisors.<\/p>\n\n\n\n<p><em>&#8220;As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,&#8221;<\/em>&nbsp;the French Computer Emergency Response Team (CERT-FR) said.<\/p>\n\n\n\n<p><em>&#8220;The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.&#8221;<\/em><\/p>\n\n\n\n<p>This vulnerability was caused by a heap overflow issue in the Open SLP, which allowed the cyber criminals to run exploit code remotely, without prior authentication.<\/p>\n\n\n\n<p>VMware urged their customers to install the latest security updates and disable the OpenSLP service.<\/p>\n\n\n\n<p><em>\u201cThe SLP can be disabled on any ESXi servers that haven\u2019t been updated, in order to further mitigate the risk of compromise,\u201d<\/em>&nbsp;CERT-FR wrote in its notice.&nbsp;<\/p>\n\n\n\n<p>They\u2019ve also said that systems left unpatched should also be scanned to look for signs of compromise.<\/p>\n\n\n\n<p>The ransomware attack has reportedly\u00a0<a href=\"https:\/\/search.censys.io\/search?resource=hosts&amp;sort=RELEVANCE&amp;per_page=25&amp;virtual_hosts=EXCLUDE&amp;q=services.http.response.body%3A+%22How+to+Restore+Your+Files%22+and+services.http.response.html_title%3A%22How+to+Restore+Your+Files%22&amp;cursor=eyJBZnRlciI6WyI4OS43ODE4MTUiLCJTeGpRcE5mU1orOVJlcEJnOENoTTJRPT0iXSwiUmV2ZXJzZSI6ZmFsc2UsIlNlZWQiOjB9\">hit thousands of servers<\/a>\u00a0in France, Finland, Germany, Canada and the US.\u00a0\u00a0<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p><a href=\"https:\/\/darkfeed.io\/2023\/02\/04\/a-new-ransomware-attack-is-spreading-like-crazy\/\">The ransom note issued<\/a>&nbsp;to the victims said:<\/p>\n\n\n\n<p><em>\u201cSecurity Alert!!!<\/em><\/p>\n\n\n\n<p><em>We Hacked your company successfully<\/em><\/p>\n\n\n\n<p><em>All files have been stolen and encrypted by us<\/em><\/p>\n\n\n\n<p><em>If you want to restore files or avoid file leads, please send 2.064921 bitcoins\u2026.<\/em><\/p>\n\n\n\n<p><em>\u2026 Send money within 3 days, otherwise we will expose some data and raise the price\u2026\u201c<\/em><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>The Cybersecurity and Infrastructure Security Agency (CISA) went on to release an ESXiArgs recovery script. Organisations that have fallen victim to ESXiArgs ransomware could use this script to attempt to recover their files.&nbsp;<\/p>\n\n\n\n<p>CISA and&nbsp;the Federal Bureau of Investigation (FBI)&nbsp;encouraged all organisations managing VMware ESXi servers to:<\/p>\n\n\n\n<p>&#8211; Update servers to the latest version of VMware ESXi software,<\/p>\n\n\n\n<p>&#8211; Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and<\/p>\n\n\n\n<p>&#8211; Ensure the ESXi hypervisor is not exposed to the public internet.&nbsp;<\/p>\n\n\n\n<p>But Bleeping Computer reported later that day that a second ESXiArgs ransomware wave had started. This wave included a modified encryption routine that encrypts far more data in large files.<\/p>\n\n\n\n<p>They reported that&nbsp;<em>\u201cthe encryptor had not changed, but the encrypt.sh script&#8217;s &#8216;size_step&#8217; routine had been taken out and simply set to 1 in the new version.\u201d<\/em><\/p>\n\n\n\n<p><em>\u201c\u2026this change causes the encryptor to alternate between encrypting 1 MB of data and skipping 1 MB of data.\u201d<\/em><\/p>\n\n\n\n<p>This change means files over 128MB will now have 50% of their data encrypted, meaning it\u2019s unlikely they can be recovered. It also prevents the previous recovery tools from successfully recovering machines, and the files will have too much encrypted data to be useable.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Advice From Our Experts<\/strong><\/h3>\n\n\n\n<p>Digital Forensics and Incident Response Consultant, Carl Pearce, gives some advice on what affected organisations should do next:<\/p>\n\n\n\n<p>The patch was issued in February 2021 but given the nature of hypervisors, it is often difficult and highly impactful to organisations when patches to these foundational servers are required. It is highly likely that servers will require a restart but this should not put off administrators from installing the patch (an hours downtime is better than total destruction of all the data). Anecdotal comments suggest the total process, including reboots is about 40 minutes.<\/p>\n\n\n\n<p>The patch and advisory ID can be found&nbsp;<a href=\"https:\/\/www.vmware.com\/security\/advisories\/VMSA-2021-0002.html\">On the VMWare Website<\/a>&nbsp;or by looking up the VMWare Advisory ID \u201cVMSA-2021-0002\u201d<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Do You Need Help Responding to a Cyber Incident?<\/strong><\/h3>\n\n\n\n<p>If you need help recovering from a cyber incident, get in touch with our expert team today. At 3B Data Security, we have extensive experience and expertise gained from conducting a wide variety of incident response and data breach investigations ranging in size and complexity.<\/p>\n\n\n\n<p>We\u2019re approved under the recognised UK national body CREST Cyber Security Incident Response (CSIR) scheme. Our consultants even helped design the CREST Certified Incident Manager (CCIM) accreditation.<\/p>\n\n\n\n<p>Get in touch to find out how we can help your organisation.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><a href=\"https:\/\/3bdatasecurity.com\/Cyber-Incident-Response.php\" target=\"_blank\" rel=\"noreferrer noopener\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"284\" src=\"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-CTAs-3-1024x284.png\" alt=\"Get in touch 3B Data Security\" class=\"wp-image-166\" style=\"width:208px;height:auto\" srcset=\"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-CTAs-3-1024x284.png 1024w, https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-CTAs-3-300x83.png 300w, https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-CTAs-3-768x213.png 768w, https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-CTAs-3.png 1080w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>VMware recently warned their customers to install the latest security update, as attackers had launched a ransomware attack targeting VMware ESXi hypervisors.<\/p>\n","protected":false},"author":5,"featured_media":406,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7,25],"tags":[20,26],"class_list":["post-405","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyber-attacks","category-news","tag-cyber-attack","tag-news"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>VMware hit again with more Ransomware<\/title>\n<meta name=\"description\" content=\"VMware recently warned their customers to install the latest security update, as attackers had launched a ransomware attack on ESXi servers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"VMware hit again with more Ransomware\" \/>\n<meta property=\"og:description\" content=\"VMware recently warned their customers to install the latest security update, as attackers had launched a ransomware attack on ESXi servers.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"3B Data Security Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/3BDSLtd\/\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-16T09:46:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-11-06T15:26:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-17.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2000\" \/>\n\t<meta property=\"og:image:height\" content=\"600\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Annabelle Ilsley\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@3bData\" \/>\n<meta name=\"twitter:site\" content=\"@3bData\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Annabelle Ilsley\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/\",\"url\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/\",\"name\":\"VMware hit again with more Ransomware\",\"isPartOf\":{\"@id\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-17.png\",\"datePublished\":\"2023-02-16T09:46:00+00:00\",\"dateModified\":\"2024-11-06T15:26:44+00:00\",\"author\":{\"@id\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/#\/schema\/person\/f979fb9a97552f3b19fcb5a9b61349a6\"},\"description\":\"VMware recently warned their customers to install the latest security update, as attackers had launched a ransomware attack on ESXi servers.\",\"breadcrumb\":{\"@id\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/#primaryimage\",\"url\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-17.png\",\"contentUrl\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-17.png\",\"width\":2000,\"height\":600,\"caption\":\"VMware Hit With Second Round of Ransomware\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"VMware Hit With Second Round of Ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/#website\",\"url\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/\",\"name\":\"3B Data Security Blog\",\"description\":\"News and Updates from 3B Data Security\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/#\/schema\/person\/f979fb9a97552f3b19fcb5a9b61349a6\",\"name\":\"Annabelle Ilsley\",\"url\":\"https:\/\/3bdatasecurity.com\/3bds-blog\/author\/ag3bds\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"VMware hit again with more Ransomware","description":"VMware recently warned their customers to install the latest security update, as attackers had launched a ransomware attack on ESXi servers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/","og_locale":"en_GB","og_type":"article","og_title":"VMware hit again with more Ransomware","og_description":"VMware recently warned their customers to install the latest security update, as attackers had launched a ransomware attack on ESXi servers.","og_url":"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/","og_site_name":"3B Data Security Blog","article_publisher":"https:\/\/www.facebook.com\/3BDSLtd\/","article_published_time":"2023-02-16T09:46:00+00:00","article_modified_time":"2024-11-06T15:26:44+00:00","og_image":[{"width":2000,"height":600,"url":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-17.png","type":"image\/png"}],"author":"Annabelle Ilsley","twitter_card":"summary_large_image","twitter_creator":"@3bData","twitter_site":"@3bData","twitter_misc":{"Written by":"Annabelle Ilsley","Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/","url":"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/","name":"VMware hit again with more Ransomware","isPartOf":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/#primaryimage"},"image":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-17.png","datePublished":"2023-02-16T09:46:00+00:00","dateModified":"2024-11-06T15:26:44+00:00","author":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/#\/schema\/person\/f979fb9a97552f3b19fcb5a9b61349a6"},"description":"VMware recently warned their customers to install the latest security update, as attackers had launched a ransomware attack on ESXi servers.","breadcrumb":{"@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/#primaryimage","url":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-17.png","contentUrl":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-content\/uploads\/2024\/04\/Blog-Featured-Image-17.png","width":2000,"height":600,"caption":"VMware Hit With Second Round of Ransomware"},{"@type":"BreadcrumbList","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/vmware-suffers-from-another-ransomware-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/3bdatasecurity.com\/3bds-blog\/"},{"@type":"ListItem","position":2,"name":"VMware Hit With Second Round of Ransomware"}]},{"@type":"WebSite","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/#website","url":"https:\/\/3bdatasecurity.com\/3bds-blog\/","name":"3B Data Security Blog","description":"News and Updates from 3B Data Security","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/3bdatasecurity.com\/3bds-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/3bdatasecurity.com\/3bds-blog\/#\/schema\/person\/f979fb9a97552f3b19fcb5a9b61349a6","name":"Annabelle Ilsley","url":"https:\/\/3bdatasecurity.com\/3bds-blog\/author\/ag3bds\/"}]}},"_links":{"self":[{"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/posts\/405","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/comments?post=405"}],"version-history":[{"count":1,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/posts\/405\/revisions"}],"predecessor-version":[{"id":407,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/posts\/405\/revisions\/407"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/media\/406"}],"wp:attachment":[{"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/media?parent=405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/categories?post=405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/3bdatasecurity.com\/3bds-blog\/wp-json\/wp\/v2\/tags?post=405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}