Recent research revealed that the ESXiArgs Ransomware has successfully compromised over 500 targets in several European countries, such as the United Kingdom, Germany, the Netherlands, France, and Ukraine.
This new report came from a researcher who spotted two hosts deploying similar ransoms in October last year. These attacks have targeted the ESXi versions 6.5 and 6.7 at the “end of life” status.
The ESXiArgs ransomware started its infection campaigns in October 2022.
According to investigations, the first set of infection campaigns from the ESXiArgs Ransomware operators started last year. They have not gained any traction in the cybercriminal landscape until the start of February this year,
Some researchers noted that the authors had updated the ransom notes on the two hosts with a revised version like the ones used by the recent operators. However, the two hosts still had differences since the other once used an onion URL rather than a Tox chat ID, a Proton Mail address, and a low-cost ransom.
Separate research also noted that the ESXiArgs is allegedly based on the leaked source code of Babuk ransomware. Additionally, Babuk also released its variants, such as PrideLocker and Cheerscrypt.
This development came a week after the ransomware operators returned with a new variant that altered the encryption process and the ransom note following the deployment of a decryptor to help recover compromised systems.
CISA has since said that the attackers might only target end-of-life ESXi servers or outdated and unpatched ESXi servers.
The spike is also complementary to the 87% year-over-year surge in ransomware attacks that targeted industrial organisations last year. 437 out of 605 of the campaigns struck the manufacturing sector.
The recent tally came from research that studies the continuous evolution of ransomware-as-a-service (RaaS) models.
The latest data collected by an industrial security company showed that nearly 200 ransomware attacks happened in the last quarter of 2022. The most targeted sector is manufacturing, food & beverages, energy, pharmaceutical, oil & gas, and mining.
Experts suggest that users should update or remove from their end-of-life ESXi servers since most threat actors are looking to target such entities.
