There is currently an encryption campaign targeting ESXi servers up to version 7.x via the CVE-2022-31696 vulnerability, which allows access to data on host systems.
CERT-FR strongly recommends applying the patch as soon as possible but adds that systems left unpatched should also be scanned to look for signs of compromise.
If you are using this hypervisor, we recommend:
- 1. Isolate the administration interfaces (in particular, do not expose them to a network external to your IS) to prevent a remote connection from outside,2. Change your administration passwords,
3. Make an isolated backup of your data.
Secondly, we recommend that you update these servers as soon as possible, either to version 8.x (which is not affected), or to one of the patched versions, documented here.
To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven’t yet been updated.
If your servers are encrypted, do not restart them or turn them off, data in RAM can still be recovered. However, you must take care to isolate them from your IS.
However, from the ransom notes seen in this attack, they do not appear to be related to the Nevada Ransomware, and appear to be from a new ransomware family.
Starting roughly four hours ago, victims impacted by this campaign have also begun reporting the attacks on BleepingComputer’s forum, asking for help and more information on how to recover their data.
The ransomware encrypts files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on compromised ESXi servers and creates a .argsfile for each encrypted document with metadata (likely needed for decryption).
While the threat actors behind this attack claim to have stolen data, one victim reported in the BleepingComputer forums that it was not the case in their incident.
“Our investigation has determined that data has not been infiltrated. In our case, the attacked machine had over 500 GB of data but typical daily usage of only 2 Mbps. We reviewed traffic stats for the last 90 days and found no evidence of outbound data transfer,” the admin said.
Victims have also found ransom notes named “ransom.html” and “How to Restore Your Files.html” on locked systems. Others said that their notes are plaintext files.
Please note that the attack is targeting the ESXi host system, so the EDR agents installed on the hosted VMs will not protect the host systems. For compatibility reasons, EDR agents cannot be installed on ESXi systems.
VMware VMSA-2021-0002 (February 2021): https://www.vmware.com/security/advisories/VMSA-2021-0002.html
CVE CVE-2021-21974: https://www.cve.org/CVERecord?id=CVE-2021-21974
Disable SLP: https://kb.vmware.com/s/article/76372
Organizations, users, get ready! We’ll keep you updated.
The core function of a SOC: Blog Post
Play ransomware infection routine: Blog Post
Identify a piece of malware with Yara: Blog Post
New Veeam v12 Platform Overview: Blog Post
OpenSSL patch (v3.0.7) for Vulnerability 2022: Blog Post
Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post