VMware servers around the world suffered a massive targeted cyberattack, the largest non-Windows ransomware attack on record.
Check Point® Software Technologies Ltd. the leading provider of global cybersecurity solutions, shares more details on the cyber attack and shows the evolution and impact of ransomware attacks.
What happened?
Italy’s National Cybersecurity Agency and France’s Computer Emergency Response Team shared that organizations around the world suffered a ransomware attack affecting thousands of VMware ESXi servers, exploiting a vulnerability (CVE-2021-21974) already patched in February 2021.
Since these servers service thousands of other servers, the impact appears to be global, affecting organizations in France, Finland, Italy, Canada, and the United States.
VMware described the flaw as a heap-overflow vulnerability in OpenSLP that could lead to arbitrary code execution.
Who is interested?
Anyone using unpatched ESXi machines (CVE-2021-21974), exposed to the Internet with port 427. CVE-2021-21974 affects the following systems:
ESXi 7.x versions earlier than ESXi70U1c-17325551
ESXi 6.7.x versions prior to ESXi670-202102401-SG
ESXi 6.5.x versions prior to ESXi650-202102101-SG
Largest non-Windows ransomware attack on record
This massive cyberattack on ESXi servers is considered one of the largest ransomware attacks ever recorded on non-Windows machines. Now, ransomware threat actors have realized how crucial Linux servers are to the various systems of institutions and organizations. This, surely, prompted them to invest in developing such a powerful cyber weapon and to make ransomware even more sophisticated.
According to analysis by Check Point Research (CPR), the risk of this ransomware attack is not limited only to the service providers that have been targeted. What can make the impact of this vulnerability even more devastating is the use of these servers, usually running other virtual servers. Thus, the damage is likely widespread, even more so than initially reported.
The evolution of ransomware
In its early days, ransomware attacks were carried out by individuals who developed and distributed large numbers of automated payloads to randomly chosen victims, collecting small sums from each successful attack.
Moving forward into 2023, we saw an evolution of ransomware, with attacks becoming mostly human-driven processes carried out by multiple entities over several weeks. Attackers hand-pick victims and employ a variety of techniques to extort significant sums of money. Threats and extortions involving the possible exposure of stolen sensitive data have proven to be very effective in each case.
The Impact of Ransomware Attacks on Businesses (2022)
Globally, at least 1 in 13 organizations experienced an attempted ransomware attack in the last year, according to data reported by CPR.
· In APAC – 1 in 11 organizations
In EMEA – 1 in 12 organizations
In the Americas – 1 in 19 organizations
According to analysis of initial threat indications detected by Incident Response Services (CPIRT) in 2022, nearly 50% of observed events are ransomware infections. Data from the CPIRT shows that the most serious risks, visible from the perspective of large companies, are full-blown ransomware attacks and complete network compromises.