Hacker attack: how it was carried out and how to defend yourself

Listen to the audio version of the article

A large coordinated ransomware attack was launched on Friday afternoon, affecting over a thousand businesses globally. The companies involved are mostly European, but there have been no shortage of US and Asian ones, while there is no evidence in Russia, Africa, Iran and other smaller states.

The attack exploited a vulnerability already known for a couple of years in a software called ESXi, produced by VMware, which is used to create and manage virtual machines on dedicated servers. The vulnerability had already been fixed, but many companies did not proceed to install the update and were left exposed to attacks that often resulted in the installation of ESXiArg ransomware, a piece of malicious software that makes all the data it can access unreadable by encrypting it with a secret key.

The criminals ask for a ransom of two bitcoins to provide the decryption key which is currently the only way to regain access to the data, if the companies have not provided a backup.

The vulnerable and currently under attack versions appear to be the ones prior to 7.0 U3i and the recommendation of the experts is to immediately update the vulnerable software using the already available update.

«The security of our customers – says Raffaele Gigantino, country manager of VMware Italy – is an absolute priority for VMware. We immediately took action directly with the authorities in charge, our customers and our partners. There security hygiene is a key component in preventing ransomware attacks and customers using versions of ESXi affected by CVE-2021-21974 and have not yet enforced the patches they must act as indicated in the notice.