A wave of ransomware attacks taking place since the beginning of February has been tied to an old vulnerability in VMware servers. A patch was issued for the vulnerability in February 2021, but thousands appear to remain unpatched as an automated process has compromised them in countries around the world.
The campaign has now become the largest set of ransomware attacks in history not targeted at Windows devices, as the attackers have compromised at least 3,200 systems that largely run Linux. The attacks are not being conducted by one of the major ransomware gangs, however, and an oversight in the malicious software used has made it relatively easy to restore impacted systems.
Automated attacks on VMware servers hit many targets, but do little damage
There is one major silver lining to this record-setting attack campaign, in that the attackers do not appear to be very experienced and have thus far seemingly not caused as much damage as one would expect.
CISA was able to issue a recovery tool thanks to a major oversight in the encryption routine of the ransomware attacks: it left key files that can be used to rebuild hosted virtual machines unencrypted, making for relatively easy recovery for many victims. The attackers have also collected relatively little in ransom (under $100,000 at last count) in spite of hitting so many different VMware servers around the world. And while they have threatened to release stolen data, the group does not yet have a channel for this nor has displayed any indication that they have actually exfiltrated anything.
Only a small amount of victims have publicly reported having their VMware servers compromised, and of these there are few reports of serious or ongoing damage. A number of United States universities were reportedly hit by the ransomware attacks, as was an administrative system of the Florida Supreme Court, but it appears that there were more compromises in France than anywhere else. International law enforcement agencies are continuing to investigate.
Ransomware attacks expanding to Linux systems
Though the ransomware attack is coming under control, security experts and government agencies around the world caution that attempts are continuing. Unpatched VMware servers should be immediately addressed, and can be protected while awaiting patching by disabling the Open Service Location Protocol (OpenSLP). The ESXI VMware servers that are vulnerable are particularly important to protect as each generally hosts an array of virtual servers that can in turn be compromised. Versions 6.5, 6.7 and 7 are the ones that potentially contain the vulnerability and require patching.
In the meantime, the full range of damage may not be established for some time given the amount of virtual servers that may have been compromised. At the moment, however, it looks as if the attack is relatively mild given how widespread it was. It does serve as a warning that attackers are always looking for new territory to expand into, and that Linux vulnerabilities are an increasingly popular point of focus for them.