VMWare Servers Targeted in Global Ransomware Attack

A large-scale ransomware attack has impacted thousands of organizations worldwide, according to Italy's National Cybersecurity Agency (ACN). The hackers exploited a two-year-old vulnerability in VMware ESXi servers, targeting servers across Europe and North America.

Roberto Baldoni, the Director General of ACN, spoke to Reuters and explained that cybercriminals took advantage of an older VMWare software vulnerability. The ransomware variant, dubbed "ESXiArgs", has caused chaos for organizations with unpatched VMware ESXi servers. The Italian news agency ANSA reported that cybersecurity officials have warned that the vulnerability can be exploited via low-complexity attacks that do not require employee passwords or secrets.

VMware ESXi is a hypervisor technology that allows organizations to host multiple virtualized computers on a single physical server. An estimated 3,200 servers are reportedly compromised by the ESXiArgs vulnerability, with France, the United States, the United Kingdom, Canada, and Germany being the most affected.

In response to the cyberattack, VMWare spokesperson Doreen Ruyak clarified that the company was aware of the latest reports and issued a patch for the ESXiArgs vulnerability (dubbed CVE-2021-21974) back in February 2021. In a statement to TechCrunch, Ruyak urged “organizations who are running versions of ESXi impacted by CVE-2021-21974, and have not yet applied the patch, should take action as directed in the advisory”.

After the warning alarm from Italy’s ACN to fellow nations and private organizations, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed further investigation into the impact. A CISA spokesperson told TechCrunch that the organization was working with the public and private sectors in the country, and “any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI”.

Security experts are yet to determine whether the latest ransomware campaign is connected to the attack on ION Trading UK last week, which caused a worldwide disruption in derivatives trading.