VMware: Ransomware Attacks Show Virtual Infrastructure Is A ‘High-Value Target’

The recent ‘ESXiArgs’ ransomware campaign has compromised thousands of servers running VMware’s ESXi hypervisor.


If customers haven’t seen their virtual infrastructure as a likely target for ransomware attacks in the past, VMware is hoping the recent campaign that compromised thousands of ESXi servers will change their view on that.

In a statement Wednesday, VMware indicated there is no denial on its part about the fact that malicious actors are increasingly going after customers running its virtualization platforms, acknowledging that virtual infrastructure is now a “high-value target” for attackers.

[Related: VMware ESXi Ransomware Attacks: 5 Things To Know]

Sponsored post

The recent “ESXiArgs” ransomware campaign has targeted customers that run the VMware ESXi hypervisor, and an estimate by the FBI and a federal cybersecurity agency put the number of compromised servers worldwide at 3,800 as of last week.

The attacks began in early February and have targeted organizations in countries including the U.S., Canada, France and Germany, according to cybersecurity vendor Censys.

While infections peaked on Feb. 3, the attacks have been continuing, and between Feb. 11 and 12 there were 500 additional hosts infected with the ESXiArgs ransomware, Censys said in a post Wednesday.

VMware released a statement to media Wednesday saying that “the recent ESXiArgs ransomware attacks have highlighted important truths about protecting virtual infrastructure.”

“The important truth is that virtual infrastructure is a high-value target, precisely because organizations run their most important workloads there, and that threat actors are continuously evolving their tools and tactics to work in those environments,” VMware said in a follow-up statement to CRN.

Ransomware attacks on virtualization platforms have already been on the rise for some time: Research from Mandiant, released in April 2022, pinpointed a “significant increase” in such attacks. Mandiant reported at the time that it had been observing the increase over the previous six to 12 months, and noted that it had been seeing numerous ransomware groups target VMware’s vSphere and ESXi platforms.

The scope of the ESXiArgs campaign, however, has brought a lot more attention to the threat. The attacks have exploited a two-year-old vulnerability (tracked at CVE-2021-21974) that affects older versions of VMware ESXi, researchers have said.

According to cybersecurity vendor Wiz, 12 percent of servers running the VMware ESXi hypervisor were unpatched against the vulnerability, which was first disclosed in 2021, as of earlier this month. Rapid7 research found that a total of 18,581 internet-connected ESXi servers were vulnerable to the flaw as of late January.

Robby Hill, CEO of Florence, S.C.-based MSP HillSouth, told CRN he questions why a business would ever think it made sense to put its ESXi servers on the internet. VM servers are the core of an organization’s server infrastructure, he said, and their only utility is providing the execution of the VMs.

“They should never be exposed to the public,” Hill said. “It seems like this was almost bound to happen by designing the setup at these companies so poorly.”

In its statement to CRN, VMware said that “to be resilient, organizations will need to prioritize security as an ongoing task, including keeping software up to date and hardening against the threat landscape.”

On Wednesday, the company published a blog about how its vSphere platform can be helpful to customers with such challenges.

“VMware is urging customers to harden their virtual infrastructure, and we are delivering guidance on how to update software with zero down-time and better configure their deployments to defend against malware threats that target virtual infrastructure,” the company said in its statement Wednesday. “We encourage organizations to enforce identity access management, modernize security architecture, and other hygiene practices for ransomware resilience.”