31.Lock DigitalRoom

Warnings of a major globe-spanning ransomware attack began circulating on social media in early February, but at first there were few details save for reports of the occasional victim. It has now been established that the campaign targeted an old (and previously patched) vulnerability in VMware servers, and that it has grown to become the largest attack of its type in history not involving Windows machines.

Though the vulnerability has been known for some time (and was patched nearly two years ago), the ransomware attack has nevertheless compromised at least 3,200 VMware servers to date. Some of the more prominent victims include the Florida Supreme Court, Houston’s Rice University and the Georgia Institute of Technology. The attackers are not believed to be a major ransomware gang, however, and the Cybersecurity and Infrastructure Security Agency (CISA) released a recovery tool to the public on February 8.

Security agencies around the world, including government teams in Italy and France, began sounding warning of the massive ransomware attack and the involvement of VMWare servers on February 5. The attack has been global and very visible, scooping up unpatched VMware servers that have been neglected since the CVE-2021-21974 vulnerability was reported and patched in February 2021.

The breadth of the attack is due to the vulnerability being in VMware ESXI servers, which are used to partition hardware and manage multiple virtual machines. This can create a cascading compromise as the breach of these VMware servers provides further access to whatever virtual servers they are hosting on the hardware they manage.