View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 8, 2023

VMware ESXi ransomware wave hits courts and universities

The US cybersecurity agency has released a tool to combat the threat posed to businesses by the vulnerability.

By Claudia Glover

A fast-spreading wave of ransomware attacks linked to a vulnerability in VMware’s ESXi software has now struck servers belonging to Florida’s Supreme Court, as well as several universities in the US and Central Europe. The US’s Cybersecurity and Infrastructure Security Agency (CISA) released a recovery script today in a bid to mitigate the damage caused by the attacks, which may have been carried out by a gang named as ESXiArgs.

Florida’s supreme court is among the victims of the current ransomware wave. (Photo by Fotoluminate LLC/Shutterstock)

The ransomware scourge was first announced on Sunday by Italian cybersecurity agency ACN. Since then the perpetrators have racked up more than 3,800 victims according to digital extortion tracking platform Ransomwhere. 

Ransomware wave hits Florida Supreme Court

Universities compromised in the most recent attack include the Georgia Institute of Technology and Rice University in Houston, as well as other such institutions in Hungary and Slovakia, Reuters believes. On Friday Tech Monitor reported on a cyberattack on the University of Zurich, but it is not known if this is related to the ransomware campaign.

The extent of the damage is currently unknown. The Florida Supreme Court and the above universities have yet to respond to requests for comment. Other victims are thought to include organisations in Italy, France and Finland.

The ransomware in question is called ESXiArgs. It encrypts configuration files on vulnerable VMware ESXi servers, potentially rendering virtual machines unusable. The virtualisation product is part of VMware’s vSphere range.

CISA has released a recovery script for organisations that “have fallen victim to ESXiArgs ransomware”. Named ESCiArgs-Recover, it is available on GitHub and should allow organisations “to attempt recovery of virtual machines affected by ESXiArgs ransomware attacks”.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

The news of the current attacks comes after notorious ransomware gang LockBit’s announcement of a new version of its malware, LockBit Green, which came with an update targeting ESXi.

ESXi ransomware: the extent of the damage

The reports by Ransomwhere detail that four payments have been made so far equalling a surprisingly low $88,000 in bitcoin. Many victims have managed to salvage their data without paying the ransom, reports Reuters, suggesting that the attacks are not the work of experienced ransomware criminals. 

The attacks are likely exploiting CVE-2021-21974, a two-year-old remote code execution vulnerability in the bundled OpenSLP service, for which a patch has been available since February 2021.

Paul Lewis, CISO at security company Nominet, told Tech Monitor last month that systems like ESXi can act as an entry point to online networks. “Virtual machines are generally used for elastic, high-capacity systems and services,” Lewis said. “There are opportunities to potentially use this kind of technology to proliferate quicker because it’s all software, rather than boxes in data centres.”

Read more: Ransomware ‘too difficult’ for police to stop

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.