More than 500 European organizations have become fresh targets for the ESXiArgs ransomware, according to data collected by a security research firm.
Censys researchers Mark Ellzey and Emily Austin have been updating a daily dashboard that tracks the spread of the ransomware campaign, which began raising alarms globally earlier this month.
Over the last few days, Austin and Ellzey said they have observed just over 500 hosts that have recently been infected with ESXiArgs. France saw 217 new incidents, while 137 appeared in Germany, 28 in the Netherlands, 23 in the U.K. and 19 in Ukraine.
A Censys chart of the recent ESXiArgs infections.
One other finding that stands out in the research is that the first infections date back to October 12, 2022 — far before European cybersecurity authorities began warning of the ransomware on February 2, 2023.
“During analysis, we discovered two hosts with strikingly similar ransom notes dating back to mid-October 2022, just after ESXi versions 6.5 and 6.7 reached end of life,” Ellzey and Austin said.
“Prior to widely ramping up a campaign, threat actors often ‘test’ their methods on a select few hosts, so we were hoping to understand more about the earlier stages of these attacks. Analysis of each of these hosts reveals the presence of a ransom note on port 443 going back to October 12, 2022 and October 14, 2022.”
The ransom note is almost identical to the note seen by the thousands of organizations that were infected in the initial wave. That outbreak included more than 3,800 organizations across the United States, France, Italy and more, including Florida’s Supreme Court, the Georgia Institute of Technology, Rice University and several schools in Hungary and Slovakia.
The only differences between the ransom notes seen on the initial attacks in October and the first wave in early February are different ways to communicate with the hackers and a lower ransom — about half of what is being demanded now.
Last Friday, cybersecurity firm Rapid7 said its Project Sonar telemetry showed that 18,581 ESXi servers are still vulnerable to CVE-2021-21974 — a 2-year-old vulnerability being exploited to spread ESXiArgs ransomware. ESXi, a VMware product, is used to create virtual machines on servers.
Since CISA published a decryptor created by two Turkish researchers, the ransomware actors have updated the malware to fix the bug that allowed some victims to recover their files.