'Send Bitcoin or Be Hacked': New Wave of Ransomware Attacks Hit VMware Servers Worldwide

A ransomware campaign targetting VMware ESXi servers has affected thousands of computer servers around the world, according to reports from multiple global cybersecurity agencies.

The attack has compromised more than 3,200 servers in France, Germany, Finland, the US and Canada, pushing some of them offline for several hours this week. 

The Computer Emergency Response Team of France (CERT-FR) was the first to sound the alarm about the attack.

“On February 3, CERT-FR became aware of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them,” CERT-FR said in a public notice published on Sunday. 

“The SLP can be disabled on any ESXi servers that haven’t been updated, in order to further mitigate the risk of compromise,” the notice continued. 

Hackers exploited the CVE-2-21-211974 VMware vulnerability patched in early 2021 to exploit a heap overflow issue in the OpenSLP service that s in low-complexity attacks. 

Dozens of organisations across Europe were affected by the attacks, particularly in Italy, where internet providers were sent offline for several hours.

Experts have warned organisations to take action to avoid being locked out of their systems and global cybersecurity agencies, such as the US Cybersecurity and Infrastructure Security Agency (CISA), said they were assessing the impact of the attack.

"CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed," the CISA said. 

‘Send Bitcoin or be hacked’

Following alerts of the attack, Hackers issued a ransom note to each of its victims, which was shared publicly by cybersecurity provider DarkFeed. 

“Security Alert!!! We hacked your company successfully!... Send money within 3 days, otherwise we will expose some data and raise the price,” the note read.

“If you don’t send bitcoins, we will notify your customers of the data breach by email and text message and sell your data to your opponents or criminals.”

To read more about ransomware attacks, visit our dedicated Business Continuity Page.

The hackers asked victims to send 2.01584 (~$23,000) to a bitcoin wallet but used a different bitcoin wallet for each note they sent. The identity of the hackers is currently unknown. 

🌐 A new #ransomware attack is spreading like crazy 🚨

Many VMware ESXi servers got encrypted in the last hours with this ransom note 🧐

What's interesting is that the bitcoin wallet is different in every ransom note. No website for the group, only TOX id 👀 pic.twitter.com/mgyoLxbXvg

— DarkFeed (@ido_cohen2) February 3, 2023

“What's interesting is that the bitcoin wallet is different in every ransom note. No website for the group, only TOX id,” DarkFeed said in a Tweet.

Enterprises urged to update VMware servers

Security agencies worldwide are offering advice to firms affected by the attacks. They urge companies to update their systems to avoid the threat actors being able to steal their data. 

“Users and administrators of affected product versions are advised to upgrade to the latest versions immediately,” the Singapore Computer Emergency Response Team (SingCERT) notified customers. 

“As a precaution, a full system scan should also be performed to detect any signs of compromise. Users and administrators are also advised to assess if the ransomware campaign-targeted port 427 can be disabled without disrupting operations.”

Security experts have been analysing the attacks since they came to light, sharing similar advice with users and adding useful information on ransomware attacks for security teams. 

In a Twitter post, Matthieu Garin, a security researcher at Wavestone, assured companies that their data would be safe once they upgrade to the latest version of #ESXi and restrict access to the #OpenSLP. 

🎯 #ESXi #Ransomware #Important Check this site: a potential solution to recover from the current campaign - the attackers only encrypt the config files, and not he vmdk disks where the data is store 🔐 ;-) This can definitely be very useful! https://t.co/x5RTd7dDrp pic.twitter.com/MD1ymi8Gf1

— Matthieu Garin (@matthieugarin) February 6, 2023

"The attackers only encrypt the config files and not the VMDK disks where the data is stored. This can definitely be very useful!” Garin explained. 

Most of the VMware servers affected by the attack were in France and Germany and were being hosted by hosting providers OVHCloud and Hetzner. Researchers noted that Ransomware attackers often target developed countries.

“Developed countries are often targeted more frequently for ransomware attacks because they have more resources and access to bitcoins and are more likely to pay the ransom demands,” Rahul Sasi, co-founder and CEO at cybersecurity firm CloudSEK, told CSO. 

“Developed countries often have more advanced technology infrastructure, making them a more attractive target for cybercriminals looking to exploit vulnerabilities,” he added.