Share this article on:
The fight between hackers and the various groups who oppose them has always been a game of back and forth. The developments around a recent ransomware exploit are a perfect example of this cyber arms race in microcosm.
The various combatants began to square off when a new ransomware family began to be deployed against thousands of targets earlier this month, all running an older version of VMware’s ESXi hypervisor.
The remote code execution attacks took advantage of a three-year-old vulnerability that was patched a year ago, as France’s Computer Emergency Response Team noted as it began to track the attacks.
“As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,” CERT-FR said on 3 February.
“The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.”
They called the ransomware ESXiArgs.
From there, the infections took off rapidly, with over 3,800 compromised machines reported as of a few days ago. The attack, however, could have been far worse. Only a handful of the US$80,000 ransoms have been paid so far according to Ransomwhere.
As reported by Bleeping Computer, a security researcher quickly released a detailed recovery guide that would have helped many victims take back control of their systems themselves. The US Cybersecurity and Infrastructure Security Agency (CISA) then followed up with its own recovery script five days ago.
Which leads us to the latest tick to the last tock. Sysadmins began reporting a new, more damaging variant of ESXiArgs on Bleeping Computer’s forums. They said it was now encrypting more of a file, making the already released recovery guides far less effective.
The new variant has now reinfected over one thousand systems.
Security researchers at Censys report the new variant has a few other changes, including removing the bitcoin address for victims to pay ransom too, likely to make it harder for successful payments to be tracked. Instead, the operators — as yet unidentified — now ask victims to contact them via the Tox messaging service.
“The timing of this update seems like a direct response to CISA’s decryptor and observations made by security researchers,” Censys said in a blog post. They likely followed updates from the security community. They realised that researchers were tracking their payments, and they may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent.
“In other words: they are watching.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.