ESXiArgs ransomware campaign raises concerns, questions
This Risk & Repeat podcast looks at the widespread ESXiArgs ransomware attacks and the questions they've raised about the threat landscape, vulnerability patching and more.
This week's Risk & Repeat podcast episode looks at the global ransomware campaign hitting VMware ESXi servers.
Reports of widespread attacks first emerged on Friday in France from cloud and hosting providers. CERT-FR issued a security advisory warning that the campaign appeared to exploit CVE-2021-21974, a heap overflow vulnerability in ESXi that was disclosed and patched two years ago, and urged users to update their software immediately. The advisory was later updated to include CVE-2020-3992, a remote code execution vulnerability in ESXi OpenSLP.
Security researchers determined the ransomware was a new variant that specifically targeted VMware ESXi hypervisor software, which they dubbed "ESXiArgs" because of the .args extension added to encrypted files after the ransomware is deployed.
Reports of ESXiArgs activity continued to emerge throughout Friday and over the weekend in many countries, including Italy, Germany, the Netherlands and the U.S. Based on open source threat intelligence and public internet scans, there are hundreds of infected ESXi servers across the globe and could be as many as 3,800 victims.
But who is behind the ESXiArgs campaign? What is the motive for these attacks? And why are so many organizations using outdated ESXi software? TechTarget editors Rob Wright and Alex Culafi discuss those questions and more in this episode of the Risk & Repeat podcast.