Italian agency warns ransomware targets known VMware vulnerability

March 20, 2023  |  Nahla Davies

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

News broke in early February that the ACN, Italy’s National Cybersecurity Agency, issued a warning regarding a VMware vulnerability discovered two years ago. Many organizations hadn’t yet patched the issue and became the victims of a new ransomware called ZCryptor. The malicious software wreaked havoc on Italian and European businesses by encrypting users’ files and demanding payment for the data to be unencrypted. 

The ACN urges VMware users to ensure their systems are backed up and updated with the most recent security patches available. With ransomware on the rise, it’s crucial that businesses take the necessary steps to protect their data and applications. 

ESXiArgs ransomware attacks

Ransomware is a type of malware or malicious software that enables unauthorized users to restrict access to an organization’s files, systems, and networks. But it doesn’t stop there. In exchange for the keys to the kingdom, attackers will typically require a large sum in the form of cryptocurrency. 

There are many ways that ransomware is executed on a target system. In this case, the attacker infiltrated VMware’s ESXi hypervisor code and held entire servers for ransom. According to reports most victims were required to pay almost $50,000 USD in Bitcoin to restore access to entire business systems. 

The nature of these attacks lead experts to believe that this is not the work of ransomware gangs, and is more likely being executed by a smaller group of threat actors. But that doesn’t mean the damage was any less alarming. 

Exploiting known vulnerabilities

Hackers were able to infect over 2000 machines in only twenty-four hours on a Friday afternoon before the start of the weekend. But how were they able to work so fast?

As soon as software developers and providers publish fixes for specific vulnerabilities, threat actors are already beginning their plan of attack. Fortunately, the ESXiArgs vulnerability was patched two years ago (CVE-2021-21974.) 

Organizations that have not run this patch are at risk of becoming a victim of the latest ransomware. Unfortunately, Florida’s Supreme Court, the Georgia Institute of Technology, Rice University, and many schools across Hungary and Slovakia have also become victims of this newest ransomware attack. 

CISA guidance for affected systems

The US Cybersecurity and Infrastructure Security Agency (CISA) issued recovery guidance for the 3,800 servers around the world affected by the ESXiArgs ransomware attacks: 

  • Immediately update all servers to the latest VMware ESXi version. 
  • Disable Service Location Protocol (SLP) to harden the hypervisor.
  • Make sure the ESXi hypervisor is never exposed to the public internet. 

The CISA also offers a script on its GitHub page to reconstruct virtual machine metadata from unaffected virtual disks. 

What organizations can learn from this attack

It can happen to anyone. Malware and ransomware attacks are a popular way to exploit organizations and no business, big or small, is off-limits. The software development industry is now worth over a trillion dollars due to the ever-increasing demand for new applications to meet the various needs of individuals and organizations. 

The average organization uses 110 applications to keep operations running smoothly. Each application requires routine maintenance to keep systems secure, and running updates plays a major role in protecting systems from ransomware. 

Another key takeaway from this attack is to keep vital systems far away from the public internet. Any file, system, or application that touches it can easily be infiltrated by skilled hackers. And since VMware ESXi is still vulnerable, companies should not expose the interface to the world. 

How to improve patch management and avoid ransomware attacks

There are several issues that contribute to the complexity of patch management, making it difficult for companies to stay on track. For example, as the number of software services increases, so does the number of CVEs. That means more patches to manage, track, and run before attackers discover how to exploit known vulnerabilities. 

In addition to large amounts of software, there is also a large amount of data that companies have to manage. For example, companies generate dark data on an ongoing basis through ordinary business transactions. User behaviors, orchestrations, and other datasets are increasing rapidly as more organizations make data-driven decisions to boost their success. 

This amount of data is very difficult to process and inspect, leaving vulnerabilities in hiding where hackers can exploit them. Without visibility, any patching strategy will be ineffective. Complete visibility enables teams to prioritize assets and software that need to be updated. 

Here is how to overcome these common patch management issues and avoid costly ransomware attacks: 

Test every patch

Patches must be thoroughly tested before being introduced into your systems. Patching is necessary to ensure that applications stay secure and up-to-date, but it can cause issues if something goes wrong. Each patch should be tested to avoid misconfigurations and other problems that can do more harm than good. 

Apply patches ASAP

Time is not on your side when it comes to patch management. After patches have been tested, apply them as soon as possible. The faster, the better. As soon as updates are released, hackers are hard at work to exploit as many users as possible before they have a chance to run the patch. 

Phase out deprecated devices and applications

Sometimes there isn’t anything left to do but retire a program or device. When software is deprecated, there won’t be additional patches released, so there is no way to know of any new vulnerabilities. Plus, security becomes an issue with out-of-date software as it often is phased out due to security concerns. Get rid of any applications and devices that have reached the end of life.

Automate patch management

Utilize automation to streamline patch management. Keeping track of each application’s maintenance schedule and regularly testing and patching software is time-consuming. Patch management automation or partnering with a managed service provider might be the most effective way to keep applications and endpoints up to date. 

Final thoughts

Ransomware attacks are not going away anytime soon. The latest ransomware warning out of Italy is now affecting thousands of systems globally due to unpatched software that should have been updated two years ago. Businesses that might be affected by the ESXiArgs ransomware should follow CISA guidance to prevent damage and recover what data might be lost. 

The best way to prevent ransomware threats is to be proactive with running patches and updates. Test every patch to ensure that it’s safe for your systems, apply changes as soon as possible, replace deprecated software, and automate patch management for optimal efficiency and security.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial