After the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors have bounced back with an updated version that encrypts more data.
The emergence of the new variant was reported by a system administrator on an online forum, where another participant stated that files larger than 128MB will have 50% of their data encrypted, making the recovery process more challenging.
Another notable change is the removal of the Bitcoin address from the ransom note, with the attackers now urging victims to contact them on Tox to obtain the wallet information.
The threat actors “realized that researchers were tracking their payments, and they may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent,” Censys said in a write-up.
“In other words: they are watching.”
Statistics shared by the crowdsourced platform Ransomwhere reveal that as many as 1,252 servers have been infected by the new version of ESXiArgs as of February 9, 2023, of which 1,168 are reinfections.
Since the start of the ransomware outbreak in early February, over 3,800 unique hosts have been compromised. A majority of the infections are located in France, the U.S., Germany, Canada, the U.K., the Netherlands, Finland, Turkey, Poland, and Taiwan.
ESXiArgs, like Cheerscrypt and PrideLocker, is based on the Babuk locker, which had its source code leaked in September 2021. But a crucial aspect that differentiates it from other ransomware families is the absence of a data leak site, indicating that it’s not running on a ransomware-as-a-service (RaaS) model.
“Ransoms are set at just over two bitcoins (US $47,000), and victims are given three days to pay,” cybersecurity company Intel471 said.
While it was initially suspected that the intrusions involved the abuse of a two-year-old, now-patched OpenSLP bug in VMware ESXi (CVE-2021-21974), compromises have been reported in devices that have the network discovery protocol disabled.
VMware has since said that it has found no evidence to suggest that a zero-day vulnerability in its software is being used to propagate the ransomware.
This indicates that the threat actors behind the activity may be leveraging several known vulnerabilities in ESXi to their advantage, making it imperative that users move quickly to update to the latest version. The attacks have yet to be attributed to a known threat actor or group.
“Based on the ransom note, the campaign is linked to a sole threat actor or group,” Arctic Wolf pointed out. “More established ransomware groups typically conduct OSINT on potential victims before conducting an intrusion and set the ransom payment based on perceived value.”
Cybersecurity company Rapid7 said it found 18,581 internet-facing ESXi servers that are vulnerable to CVE-2021-21974, adding it further observed RansomExx2 actors opportunistically targeting susceptible ESXi servers.
“While the dollar impact of this particular breach may seem low, cyber attackers continue to plague organizations via death by a thousand cuts,” Tony Lauro, director of security technology and strategy at Akamai, said.
“The ESXiArgs ransomware is a prime example of why system administrators need to implement patches quickly after they are released, as well as the lengths that attackers will go to in order to make their attacks successful. However, patching is just one line of defense to rely on.”
