In February 2021, VMware, a cloud computing company specializing in virtualization software, released a fix for a critical vulnerability that allowed for remote code execution. Now, two years later, vulnerable versions of software that never implemented the fix are actively being targeted by ESXiARgs ransomware. Researchers believe that beginning February 3, 2023, at least 3,800 systems have become victim to this ransomware which demands approximately $50,000 USD worth of Bitcoin for decryption. To date, only 4 ransomware payments have been observed on the blockchain, which is likely due to CISA publishing a decryptor. However, according to an article by The Record on February 15, 2023, the ransomware actors have modified the malware to be resistant to the decryptor tool.
Photo Caption: A ransom note left on an infected ESXi server demanding a Bitcoin payment to restore files and avoid leads. Source: Bleeping Computer
How Can You Stay Better Protected Against Ransomware?
RiskRecon
Exploitation of a two-year old vulnerability reinforces the importance of regularly patching software. It also reminds organizations how vital it is that third-party suppliers are held to the same standards. Many of the ransomware victim systems were being hosted and managed by service providers. Mastercard tools like RiskRecon enable not only own enterprise vulnerability management, but also robust third-party risk and asset management. It is critical that organizations understand their assets, establish a patching cadence, and continuously monitor third 3rd, 4th, and nth parties for different risks.
To gain greater visibility into your supply chain - request a FREE demo of RiskRecon.
Shadowserver
Additionally, there are many free resources that organizations can take advantage of to understand exposure in their networks. The Shadowserver Foundation is a non-profit whose mission it is to “make the Internet more secure by bringing to light vulnerabilities, malicious activity and emerging threats.” Shadowserver provides free, detailed, relevant, daily remediation reports about the state of your networks. Any organization with its own IP ranges should sign up for Shadowserver reports.
Photo Caption: A dashboard from The Shadowserver Foundation showing unpatched VMware ESXi systems as of 12 February 2023.
To learn more about Shadowserver's insights view HERE.