Beating Ransomware Hackers At Their Game By Eliminating VMWare's Flaws

It's now already well-known that hackers, also known as cybercriminals, now leverage a two-year-old VMware loophole as a ransomware campaign's component targeting thousands of organisations worldwide.

Only recently, the internet was agog with the reports of how VMware ESXi servers were left vulnerable and unpatched against a remotely exploitable bug from 2021.

Consequently, these servers became compromised and scrambled by a ransomware variant dubbed “ESXiArgs.”

By the way, ESXi is VMware’s hypervisor, which is a technology permitting organizations to host several virtualised computers running multiple operating systems on a single physical server.

This means that these cybercriminals' prime targets are the cloud service providers.

Based on the reports of France’s computer emergency response team, CERT-FR, these cybercriminals have been targeting VMware ESXi servers since February 3.

Similarly, Italy’s national cybersecurity agency, ACN, also recently warned of a large-scale ransomware campaign targeting thousands of servers across Europe and North America.

There are also confirmations from the U.S. cybersecurity officials regarding ongoing investigations of these ESXiArgs campaigns. 

“CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed,” a CISA spokesperson revealed recently. 

“Any organisation experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”

Sensitizing the CyberSecurity Experts to Explore a Reverse Engineering Approach to Fixing the VMware Bugs

From non-expert points of view, we are tempted to ask, "Has reverse engineering been explored toward addressing this menace?"

Where the answer is no (and we don't expect it to be so), we are happy to suggest that experts reference the following to jumpstart solution activities:

The process for reverse engineering will typically include:

• Setting up an isolated run-time environment
• Execution and initial analysis
• Deobfuscating compressed or packed code
• Disassembly/code-level analysis
• Identifying and analyzing relevant and interesting portions of the VMware program

For the case of Isolated Analysis Environment:

• Setting up of Isolated Runtime Environment may be necessary. Here, it will be necessary to consider the following:

– Thorough evaluation of Virtual machines: VMWare, Xen, KVM, …
– The need to protect yourself from malicious codes
– The need to create a known-good baseline environment
– The need for quickly allowing for backtracking if something bad happens

Scrutinising all the Available Statistics for Further Proactive Measures

It is on record that more than 3,200 VMware servers worldwide have been compromised by the ESXiArgs ransomware campaign so far, according to a Censys search (via Bleeping Computer). 

Incidentally, France is the most affected country, followed by the U.S., Germany, Canada, and the United Kingdom. While it is yet unclear about those behind the ransomware campaign, French cloud computing provider, OVHCloud, recently backtracked on its initial findings suggesting a link to the Nevada ransomware variant.

A copy of the alleged ransom note, shared by threat intelligence provider DarkFeed, shows that the hackers behind the attacks have also adopted a “triple-extortion” technique, in which the attackers threaten to notify victims’ customers of the data breach.

The unknown attackers are demanding 2.06 bitcoin — approximately $19,000 in ransom payments — with each note displaying a different bitcoin wallet address.

In a recent statement credited to VMware spokesperson, Doreen Ruyak, "the company was aware of reports that a ransomware variant dubbed ESXiArgs “appears to be leveraging the vulnerability identified as CVE-2021-21974” and said that patches for the vulnerability “were made available to customers two years ago in VMware’s security advisory of February 23, 2021.”

“Security hygiene is a key component of preventing ransomware attacks, and organizations who are running versions of ESXi impacted by CVE-2021-21974, and have not yet applied the patch, should take action as directed in the advisory,” Ruyak added.

Conclusion

The above views and recommendations are not those of an expert in the cybersecurity space.

They should only be seen from the perspective of being a catalyst for pushing cyber security chiefs into a lasting solution to the mischief of ransomware hackers.