Hackers Respond to ESXiArgs Ransomware Decryptors with New Malware Variant
The fight between hackers and the different groups that oppose them has always been a back and forth game. The events surrounding a recent ransomware exploit are a perfect example of this cyber arms race in microcosm.
The various combatants began clashing when a new family of ransomware began being deployed against thousands of targets earlier this month, all running an older version of VMware’s ESXi hypervisor.
The remote code execution attacks exploited a three-year-old vulnerability that was patched a year ago, as France’s Computer Emergency Response Team noted when it began tracking the attacks.
“Based on current investigations, these attack campaigns appear to exploit the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021.” CERT-FR said on February 3.
“The currently targeted systems would be ESXi hypervisors at version 6.x and earlier than 6.7.”
They called the ransomware ESXiArgs.
From there, infections took off quickly, with more than 3,800 compromised machines reported as of a few days ago. However, the attack could have been much worse. Only a small portion of the $80,000 ransoms have been paid so far, according to rescue where.
As reported by ringing computerA security researcher quickly published a detailed recovery guide that would have helped many victims regain control of their systems. The US Cybersecurity and Infrastructure Security Agency (CISA) followed with its own recovery script Five days ago.
Which takes us from the last tick to the last tock. System administrators began reporting a new, more harmful variant of ESXiArgs in ringing computerThe forums of. They said it was now encrypting more files, making the already published recovery guides much less effective.
The new variant has already reinfected more than a thousand systems.
Security researchers at Censys report that the new variant has some other changes, including removing the bitcoin address so that victims also pay the ransom, which will likely make it difficult to track successful payments. On the other hand, the operators (not yet identified) — now ask victims to contact them via Tox messaging service.
“The timing of this update appears to be a direct response to the CISA decryptor and observations made by security researchers,” Censys said. in a blog post. Updates from the security community probably followed. They realized that researchers were tracking their payments and may have even known before launching the ransomware that the encryption process in the original variant was relatively easy to bypass.
“In other words: they are watching.”