By William Altman, Cyber Threat Intelligence Principal and
Yvette Essen, Head of Content, Communications & Creative
The ongoing automated ransomware campaign ESXiArgs is targeting outdated VMware ESXi hypervisors installed on servers around the world. The first reports of ESXiArgs surfaced on Friday, February 3rd, 2023, and within days, internet-wide scans show a rapid infection rate with thousands of servers infected.
This article aims to advise the cyber (re)insurance and broking industry on the developments to date and what actions they should take to advise their clients.
What is happening?
The ongoing automated ransomware campaign ESXiArgs is targeting outdated VMware ESXi hypervisor servers around the world. Up to 70,000 ESXi hypervisors could be vulnerable.
VMWare ESXi is a hypervisor — software that creates and runs virtual machines (VMs) on servers — that VMware sells to cloud hosts and other large-scale enterprises to consolidate their hardware resources by hosting several VMs running multiple operating systems on a single physical server.
VMware ESXi servers can support multiple installations of the same or different Operating Systems in isolated environments and one ESXi server can run up to 128 virtual Central Processing Units (CPUs) and 120 Virtual Machines (VMs), multiplying impacted entities.
Countries impacted to date
Both France and Italy's Computer Emergency Response Teams (CERTs) have issued alerts warning of attack campaigns targeting VMware ESXi hypervisors with the aim of deploying ransomware on them.
The majority of impacted ESXi servers are in France and Germany; these servers are mainly being run and managed by cloud hosting providers OVHcloud and Hetzner, respectively. Notably, OVH is a French multinational enterprise providing cloud hosting services.
Cybersecurity agencies in smaller countries, including Singapore, have also raised alarms. At least a dozen universities have been reported to be impacted, including the Georgia Institute of Technology in Atlanta, Rice University in Houston, and institutions of higher learning in Hungary and Slovakia. Florida's Supreme Court has also stated that it was impacted by ESXiArgs ransomware.
Identifying vulnerable companies
CyberCube has analyzed companies in its Industry Exposure Database (IED) to identify organizations running VMWare ESXi hypervisors that could be vulnerable to the ESXiArgs ransomware. CyberCube's IED is a representative portfolio of insurable US entities expected to carry stand-alone cyber insurance.
Large US-based insureds operating in banking, education, manufacturing, non-profit, aviation, and agriculture are at higher risk of being attacked by threat actors leveraging vulnerabilities in ESXi hypervisors compared to insureds operating in other industries. These six industries displayed the highest concentration of ESXi hypervisors, which means that these industries are likely to have more legacy versions of ESXi that are vulnerable to exploitation and subsequently to ESXiArgs ransomware.
Large insureds ($1 billion-plus revenue) are at greater risk of being impacted than medium, small, or micro-sized insureds. Large-sized companies are more likely to require the use of hypervisors and virtual machines as the foundation for the large-scale deployment of cloud computing and cloud storage resources.
Insureds that rely on legacy ESXi infrastructure including versions that are unpatched and/or end-of-life in all sectors are at risk. Furthermore, VMware as a platform and ESXi are complex products to manage from a security perspective. Underwriters should pay attention to organizations that operate on thin margins and have smaller budgets for IT resources and updates, newer versions, and software patches.
CyberCube customers can use Single Point of Failure (SPoF) Intelligence to help determine if companies in a portfolio are using virtual machines on ESXi hypervisors that are maintained by a third-party cloud provider. These companies are at risk of having their ESXi server-based data stolen and encrypted by EXSiArgs ransomware.
How can cyber reinsurers and brokers prepare for events like ESXiArgs ransomware?
CyberCube has modeled a large-scale ransomware attack as part of Portfolio Manager, a scenario-based data-driven model that enables risk professionals to develop insights for their senior leadership and teams. It also allows stress testing of portfolios of insurance risk so that loss drivers and areas of accumulation risk can be identified.
CyberCube models several outage scenarios for major cloud service providers (CSPs). In Scenario 37 — one of the most devastating scenarios — threat actors attack a major CSP with ransomware. Insureds are unable to access hosted environments, storage, and/or data to varying degrees and experience downtime until restored.
CyberCube's single-risk broking and underwriting solutions can help identify companies that tolerate outdated and End-of-Life (EOL) software products like the vulnerable versions of ESXi being targeted in this attack. Companies that tolerate large amounts of EOL products are vulnerable to other threat actors exploiting known vulnerabilities to achieve network access.
The potential impact
While it is too early to determine the full impact of this large-scale ransomware attack, similarities can be drawn to Kaseya VSA in July 2021. The REvil group exploited a vulnerability in Kaseya's VSA remote management software to distribute ransomware to the software's users, affecting hundreds of businesses and organizations around the world. It is considered to be one of the largest ransomware attacks in history by the number of unique entities impacted.
The impact of the ESXiArgs ransomware attacks is still being tallied. However, given the attacks have already encrypted data on thousands of servers that each could contain up to 120 VMs, this attack is starting to look like it could end up being comparable to (or worse than) Kaseya.
This article summaries the key themes of a new report "CyberCube Advises Cyber (Re)insurers on Ransomware Risks to Outdated VMware Servers" which can be found here. An audio version of the report is also available.
Sign up for CyberCube's forthcoming webinar, Global Threat Briefing H1 2023 here.